Meaningful Use_Privacy and Security Standards

January 30, 2010

Today, I would like to discuss the meaningful use guidance on privacy and security.  This is the aspect of EHR that patients have the most concerned.  The privacy and security standards are based on HIPAA.  Some of the standards are specific while others do not specify any specific approach to allow for innovation.  The standards are as follows:

- General Encryption and Decryption of Electronic Health Information: A symmetric 128 bit fixed-block cipher algorithm capable of using a 128, 192, or 256 bit encryption key must be used (e.g., FIPS 197 Advanced Encryption Standard, (AES), Nov 2001).

-Encryption and Decryption of Electronic Health Information for Exchange: An encrypted and integrity protected link must be implemented (e.g., TLS, IPv6, IPv4 with IPsec).

-Record Actions Related to Electronic Health Information (i.e., audit log): The date, time, patient identification (name or number), and user identification (name or number) must be recorded when electronic health information is created, modified, deleted, or printed. An indication of which action(s) occurred must also be recorded (e.g., modification).

-Verification that Electronic Health Information has not been Altered in Transit: A secure hashing algorithm must be used to verify that electronic health information has not been altered in transit. The secure hash algorithm used must be SHA-1 or higher (e.g., Federal Information Processing Standards (FIPS) Publication (PUB) Secure Hash Standard (SHS) FIPS PUB 180-3).

-Cross-Enterprise Authentication: Use of a cross-enterprise secure transaction that contains sufficient identity information such that the receiver can make access control decisions and produce detailed and accurate security audit trails (e.g., IHE Cross Enterprise User Assertion (XUA) with SAML identity assertions).

-Record Treatment, Payment, and Health Care Operations Disclosures: The date, time, patient identification (name or number), user identification (name or number), and a description of the disclosure must be recorded.

Certified Information Systems Auditors (CISA) should focus on these standards.


Meaningful Use_Vocabulary Standards

January 23, 2010

Meaningful Use_Vocabulary Standards

First, I have decided to set up a monthly newsletter.  I hope to begin mid-February.  If you  are interested in receiving this newsletter (there is no charge). Send me your email address at info@pinarus.com.  Your email addresses will not be used for any other purpose besides receiving this newsletter. The intent is for this blog to provide general, weekly updates while the newsletter will provide more indepth monthly coverage of the Health IT environment.

So let’s discuss vocabulary standards in terms of meaningful use.  ONC has set vocabulary standards for various EHR components.  Below is the list of the components and their respective vocabularies:

-Problem List: ICD-9-CM or SnoMed CT

-Information related to procedures: ICD-9-CM or AMA CPT-4

-Medication List: Standard that integrates RxNorm

-Lab Results in patient summaries: LOINC when original lab results utilized LOINC, otherwise, local or proprietary codes

-Remainder of Patient Summary: TBD in Stage 2 of Meaningful Use

-Drug Formulary Check: NCPDP Formulary & Benefits Standard 1.0

-E-Prescribing: NCPDP SCRIPT 8.1 or NCPDP SCRIPT 8.1 and 10.6

-Administrative Transactions: HIPPA Transaction Standards to include Accredited Standards Committee (ASC) X12N Subcommittee standards or NCPDP standards for the relevant covered transactions

-Quality Reporting: CMS PQRI 2008 Registry XML Specification

-Submission of Lab Results to Public Agencies: same standard for populating lab results as for patient summary record

-Submission to Public Health Agencies for Surveillance or Reporting: TBD

-Submission to Immunization Registries: CVX -Vaccines Administered


Meaningful Use_Content Exchange Standards

January 16, 2010

Content Exhange refers to the standards used to exchange clinical information.  Meaningful Use requires the Electronic Healthcare Records use Health Level 7 (HL7) Clinical Document Architecture (CDA) Release 2 Level 2 CCD or ASTM CCR to exchange a patient summary record.  Additionally, if the record is in a different format, it should be displayed in human readable form. 

CCD Level 1 and HL7 Version 3 Reference Informaiton Model based on CCD Level 3 are alternate standards.


Meaningful Use_Transport Standards

January 10, 2010

In my previous post, I discussed the performance and functional standards of meaningful use as encapsulated by the objectives.  Today I would like to begin the discussion of technical standards, specifically, transport standards.  The other technical standards include vocabulary standards, content exchange standards and privacy and security standards.  Transport standards refer to the standards used to standards used to establish a common, predictable, secure communication protocol between systems.

The proposed transfer standards are Simple Object Accessed Protocol v1.2 (SOAP) and Representational State Transfer (REST).  SOAP is protocol specification used for the exchange of structured information in web services.  It was chosen because it was widely used and versatile.  It is platform and language independent.

 REST is a software architecture designed for distributed hypermedia.  An important concept of REST is the idea of Web resources (sources of specific information) that are referenced with a global identifier.

 These transport standards make it apparent that the intent of these standards.  ONC desires to create an internet-type network for Health IT.  In this network, needed information can be accessed quickly like on the internet.


Meaningful Use Update_Performance and Functional Standards

January 2, 2010

As I mentioned in my most recent post, ONC has published its draft meaningful use guidance.  I will dedicate this week and next week to the Interim Final Rule (the actual definitions of meaningful use). Follow-on posts will discuss the Medicare/Medicaid Incentive program.

This week, I will highlight some of background information and the performance and functional standards.  Highlights are as follows:

  • Meaningful Use implementation will come in three stages.  Stage 1 begins in 2011, Stage 2 in 2013 and Stage 3 in 2015.
  • This guidance focuses on Stage 1. 
  • The Meaningful Use guidance takes into account the work of HITSP, AHIC and CCHIT.  However, these groups will be replaced by the HIT Policy Committee and the HIT Standards Committee. 
  • Additionally, the actual method for certifying EHR technology will come in the form of future guidance.  I realize that designing such a process will take time but the delay is a bit disconcerting.  I hate to see one more reason to slow implementation.
  • The guidance discusses EHR modules.  These modules are components that when taken together form an EHR system.  The intent is that a provider can have modules from various EHR producers working together to form a system. These modules must still comply with relevant standards.  The guidance cites as an example a program to submit public health information to gov’t agencies. My opinion is that modules are critical to innovation…providers will be able to “customize” their solution and therefore, choose the best modules.  Modules clear the way for “cloud computing” and for small software providers.
  • The guidance provides objectives for EHR/EHR modules used by eligible professionals and hospitals.  Some of the objectives are performance oriented such as recording BMI information while others are functional such as maintaining security.  My question is who qualifies as an eligible professional.  Would an eye doctor for example have to maintain an entire EHR  or could he or she be allowed to maintain only relevanat modules.

Next week I will discuss the technical standards such transport, privacy, etc.


Meaningful Use Defined!!!!!

December 31, 2009

ONC has released its proposals for Meaningful Use and EHR Certification at www.healthit.hhs.gov.  They met their goal of having guidance in December 2009.  Unfortunately, the Meaningful Use and the EHR certification guidance comes in at 136 pages.  The incentive program comes in at 556 pages. I hope that the regulations are not so complex and confusing that meaningful use ends creating more confusion.

Anyway, I will be reading through the documents and commenting on this blog.  I also will provide comments to ONC as they have requested.

Happy New Year!!!!


State Implementation of Healthcare Reform

December 31, 2009

Below is a link to a Letter to the Editor that I wrote.  It was published in the Press of Atlantic City today.  I make a general proposal to ensure that NJ begins a planning process for implementing the federal Healthcare Reform package.  While I disagree with much of the bill, I feel that failing to plan for its implementation will only augment troubles for financially strapped states like NJ.

http://www.pressofatlanticcity.com/opinion/letters/article_e74d4164-0d6d-5566-a7c2-1df5a720cbbb.html


Update

December 27, 2009

Update

November 8, 2009

Check out my most recent blog on www.hospitaimpact.org.  I discuss internal controls and meaningful use.

 


Healthcare 2.0 and Meaningful Use

October 18, 2009

You can read some more of my blogs at www.hospitalimpact.org.

I was recently reading about the Healthcare 2.0 Conference (http://www.health2blog.com/) held in San Franscisco.  Some of the major themes were EMRs as platforms for running applications and social networking.  There were many interesting innovations and insights.  As I read about them, I wondered how these new ideas will integrate with meaningful use.  Will the final regulation make room for these innovations and more importantly will the expense and compliance involved with meaningful use deter providers from going beyond what is required?  Will larger developers be able to influence future iterations of Meaningful Use into making their applications requirements.  On the positive side, will providers who offer some of these new applications gain a market advantage against those who move strictly with meaningful use?

We probably do not know the answer to any of these questions.  However, I think these are ideas that we need to think about as move forward in the regulation of EMRs and Meaningful Use.