Friday, May 15, 2009

The First Meeting of the HIT Standards Committee

Today, Jonathan Perlin and I ran the first meeting of the new HIT Standards Committee. The members are:

Jonathan Perlin, MD, Chair
Healthcare Corporation of America

John Halamka, MD. Vice-Chair
Harvard Medical School

Dixie Baker, PhD
Science Applications International Corporation

Anne Castro
BlueCross BlueShield of South Carolina

Christopher Chute, MD
Mayo Clinic College of Medicine

Janet Corrigan, PhD
National Quality Forum

John Derr, R.Ph.
Golden Living, LLC

Linda Dillman
Wal-Mart Stores, Inc.

James Ferguson
Kaiser Permanente

Steven Findlay, MPH
Consumers Union

Douglas Fridsma, MD, PhD
Arizona Biomedical Collaborataive 1

C. Martin Harris, MD, MBA
Cleveland Clinic Foundation

Stanley M. Huff, MD
Intermountain Healthcare

Kevin Hutchinson
Prematics, Inc.

Elizabeth O. Johnson, RN
Tenet Health

John Klimek, R.Ph.
National Council for Prescription Drug Programs

David McCallie, Jr., MD
Cerner Corporation

Judy Murphy, RN
Aurora Health Care

J. Marc Overhage, MD, PhD
Regenstrief Institute

Gina Perez, MPA
Delaware Health Information Network

Wes Rishel
Gartner, Inc.

Richard Stephens
Boeing

Sharon Terry, MA
Genetic Alliance

James Walker, MD
Geisinger Health System

We began the meeting with introductory remarks from Dr. Blumenthal. He emphasized the need to improve care quality, efficiency, and the scope of healthcare coverage. He noted that technology is a tool that facilitates meaningful use and leads to better care. The goal is better health, not implementation of IT for technology's sake.

Jodi Daniel provided us with important statutory background on the committee. Here are few key points from her presentation and the discussion which followed

1. The purpose of the committee is to recommend standards, implementation specifications, and certification criteria to the National Coordinator for the electronic exchange and use of health information. The committee is not limited to standards selection, it covers the process from end to end - standards, implementation, and certification criteria. It will gather input from standards harmonization and development organizations, implementation guide writers, and certifying organizations to make recommendations which enable data exchange in support of meaningful use.

2. There are 8 areas of policy focus
-Technologies that protect the privacy of health information
-A nationwide health information technology infrastructure
-The utilization of a certified electronic record for each person in the US by 2014
-Technologies that support accounting of disclosures made by a covered entity
-The use of electronic records to improve quality
-Technologies that enable identifiable health information to be rendered unusable/unreadable
-Demographic data collection including race, ethnicity, primary language, and gender
-Technologies that address the needs of children and other vulnerable populations

You'll see a great deal of discussion in the HIT Policy and Standards Committees about these issues. These 8 areas are our guiding principles!

3. The HIT Standards Committee will have two standards adoption processes
- expedited, in support of the statutory deadline for HHS to publish an interim file rule on initial standards, implementation specifications and certification criteria by 12/31/09. For this process, we'll leverage the already approved/recognized standards.

- normal, the committee will receive guidance from the HIT Policy Committee and typically within 90 days will make recommendations. Note that these recommendations may include naming standards, identifying gaps, and asking standards harmonization/development organizations to do further work.

4. NIST will serve a role to test the standards. To clarify, this work is to ensure the standards are appropriately documented and technically adequate for their intended purpose. NIST will not certify products - that will be left to certification organizations.

5. The summary of the entire process is illustrated in picture above.

We then discussed the types of data exchanges which might constitute meaningful use. ONC and HHS have not yet provided official guidance on meaningful use, so these are contingencies - our best guess as to the data exchanges likely to enable meaningful use.

Clinical Operations - ePrescribing/medication management, lab ordering/resulting, clinical summary exchange (problem list, medication list, allergies, text based reports including op notes, diagnostic testing reports, discharge summaries)

Quality - Process, outcomes, treatment plans, medical decisionmaking, health behaviors

Security - Transport, secure messaging, authentication, authorization, auditing

We elected to form three working groups to focus on these areas. These groups will conduct phone meetings and include additional experts as needed.

In the discussion that followed a few major themes emerged:

a. We need a high level roadmap of milestones to ensure we meet our statuary deadlines for initial deliverables in time for the 12/31/09 interim rule.
b. We also need a roadmap which takes into account the other mandates/compliance requirements already imposed on healthcare stakeholders such as ICD-10 and X12 5010. We need to ensure our clinical work is in synch with administrative data exchange activities already in progress.
c. Although we should provide for the exchange of basic text, we should strive for semantic interoperability whenever possible, using controlled vocabularies which are foundational to decision support and quality reporting.
d. We should set the bar for interoperability higher than the status quo but also make it achievable, realizing that rural providers and small clinician offices have less capabilities than large academic health centers. We'll need to retrofit many existing systems - healthcare IT is not a greenfield and thus we need to be realistic about the capabilities of existing software, while also encouraging forward progress and innovation.
e. Meaningful use will change over time. Data exchange and the standards we select must evolve. To ensure successful adoption throughout the industry, our work must be continuous incremental progress with phased adoption of standards.

I will serve as Chair of HITSP and Vice-Chair of the HIT Standards Committee simultaneously, coordinating communication between these two organizations. I look forward to the work ahead.

14 comments:

e-Older American said...

During the public comment period at the end of today's HIT Standards Committee meeting (held in Washington) which I attended by phone, I volunteered to be a "real life use case". My volunteering followed my comments concerning the importance of semantic interoperability, both at the human level as well as at the machine level (computer to computer).

Ten years ago, as the Data Administrator/Consultant for the Center for Uniformity, Security and Privacy (CUSP) in the (then) Department of Health and Family Services (DHFS) I participated as a beta tester for a distributable metadata registry called MetaPro sponsored by the (then) Health Care Financing Administration (HCFA) and Environmental Protection Agency (EPA). At the time I was also the representative from DHFS to Health Level 7 (HL7).

In anticipation of what I thought would be an opportunity, but never visualizing the "amazing opportunity of an alignment that has never occured in history" I joined the American National Standards Institute (ANSI) in January, in order to participate in developing standards that will personally benefit me and many others, who are, or will be senior citizens. I already had been participating via Webex in meetings of the Health Information Technology Standards Panel (HITSP) which didn't require being an ANSI member, but given my mission, I joined in order to have a "seat at the table" in discussion of any or all standards affecting senior citizens.

My company's name is Metasteward LLC and has the following mission statement:

Metasteward LLC's mission is to be recognized as the organization of choice for consultation on defining and recommending consumer empowerment and protection standards for senior citizens.

I hope my past life experiences in all areas, as well as my current experiences in trying to make sense of and navigate all the electronic and manual systems (both beneficial and harmful) that confront me on a daily basis will cause me to be selected as a volunteer "use case". I'd also like to mention that I do not have a day job.

Ahier said...

Thanks for your leadership John. It was very good meeting. There was a great conversation on Twitter using hastag #HITpol for both meetings this week and I have the transcript from this mornings meeting posted HERE (despite the transcription errors :-)

Tom Mariner said...

Great first meeting.

Some of the items that stand out to me:

improve care quality, efficiency, and the scope of healthcare coverage. He noted that technology is a tool that facilitates meaningful use and leads to better care - Although the term "cost saving" was not uttered, the "better" means room for the improvements we will make.

The deadline for milestones of EOY 2009 seem reasonable, but what will be written into the legislation in August 09? Like the approach of setting the bar.

Is medical imaging included somewhere in Clinical Operations? It is a well established and relatively widely used DICOM standard. [this is one of the author's fields of expertise for better or worse.]

And lastly, this blog and other sharing technologies is going to make the standards process proceed faster and more accurately than previous attempts.] The fact that it is a high priority of the President should build a fire under all of us as well.

Unknown said...
This comment has been removed by the author.
Unknown said...
This comment has been removed by the author.
Unknown said...

First of all your amazing John. I think someone cloned you years ago or your some sort of hologram dashing around the country doing good deeds.

2 short observations

1) Having a solid communication and engagement policy / strategy will be as important as data and technology standards.

It isn't clear if the Policy or the Standards committee should own this (perhaps a good role for the NeHC?) but the key to any successful implementation actually has less to do with data and technology and everything to do with communication and stakeholder engagement.

This communication and engagement has to happen before, during and after an implementation with both providers and consumer / patients in order to have a successful implementation in one doctors office or the entire country.

When you start to see IT companies (who haven't implemented a single EMR) hosting a national tour to "educate the 500,000 providers) about ARRA you have if the role and responsibility matrix is clear for the project or why you have lost control of the message.

At its core this is a odd combination of a consumer product and a political campaign and you can expect to see the same techniques used.

It is critically important that the project sponsor (ONC) balances the "platform" and the "process" with the often forgotten and harder to measure 3 leg of complex software implementations "people".

We aren't creating new software from scratch simply trying to encourage adoption and there is no evidence that it is the lack of standards or policy that is the reason this hasn't happened yet. There are also very few implementations that fail for technical reasons but many many that fail because of poor communication and lack of stakeholder engagement. Is for example the consumer voice as strong as that of the vendors?

Tommorow for example there will be a front page article in the Washington Post disucsing the role that vendors played and are playing in the HIT legislation and conversation. Are consumers or providers pulling this project forward? What standards and policies will be used to accomplish the most basic goal of "adoption".

2) In order to have a patient centered health care system you need to have a patient centered design process.

Nearly all of the standards are have a built in provider point of view. How consumers define "outcomes that matter" is often different then "meaningful use".

Great start though we seem to be forgotten how people change. It is rarely data and it isn't the lack of HIT that accounts for the differences in quality between the US and the EU.

In clinical operations for example a patient / consumer might want health care anywhere via email, telemedicine, online tools and quality might mean that at each encounter they are aware of and receive the standard of care for their condition at that encounter with that provider not that their clinic hits the mark 90% of the time.

KevinCoonanMD said...

I am encouraged by this, and recognize the expertise of several members of the committee.

It isn't clear to me how some of this work will be completed. There is a chronic underfunding of healthcare IT standards development in the US which needs to be urgently addressed in a multi-million dollar manner. Before another dime of US tax dollars are spent to provide EHRs and PHRs to providers and consumers, we need to spend relatively little ($5-10M) to get those standards which are critical dependencies to semantic interoperability finished.

There is also a huge gap in what informatics training programs are teaching and what is needed to train people to work on and with the advanced health care IT standards needed to provide semantic interoperability. Given the investment that NIH/NLM is making, it doesn't seem unreasonable to create some standard curriculum which can provide that level of expertise needed beyond the basic introduction to standards and controlled terminologies which are now provided.

Medical Quack said...

Congratulations! Glad we have one of the "smart" folks where we need them. If anyone watched the AHIC last meeting, that you posted a while back in November of last year they will immediately realize why you are the person.

The AHIC folks referred to you as the "jet", which is a good thing as the rest of the members just were not up to this needed level to make things happen, so be the "jet", or a build fleet of them if needed:)

geekgoalie said...

So, when will we know what meaningful use means? National Coordinator for Health IT David Blumenthal said: “We hope to provide a direction and some specifications in the late spring, early summer.” He did not specify which year :-)

Michael Magrath said...

John, It was a pleasure attending the meeting in-person last Friday. I am Michael Magrath, of Gemalto. I provided the public comment regarding authentication into systems containing electronic health information.

The reason for my comment is that protecting an individual’s medical information and their privacy is the most important and fundamental element of an electronic health record system. If those protections are omitted then the entire system is undermined. Personal health information is highly sensitive information and warrants the need for very high confidence in the accuracy of the asserted identity of those who attempt to access it. Once it is compromised and into the wrong hands the data contained in it is irreversible and the consequences can affect the victim for his or her lifetime. An NPR poll released the week of April 20 indicated that 76% of respondents had positive impressions of EHRs, however 72% believe their privacy would be violated through EHRs. The security of personal health information is far different compared to other types of personal information including financial. Unlike financial information, there are no policies and procedures in place to restore one’s health information once it is compromised. Additionally, organizations and professionals have a fiduciary obligation to ensure transmission of information is properly authenticated between respective parties.

Only Level 4 assurance (two or three factor authentication) as defined by National Institute of Standards and Technology (NIST) provides the highest practical assurance of remote network authentication. Level 4 authentication requires that the claimant prove through a secure authentication protocol that the claimant controls the token. Moreover, the HIEs and RHIOs will undoubtedly be targets of hackers given the nature of the information and those whose private and personal health information is contained. Level 4 authentication prevents eavesdropper, replay, online guessing, verifier impersonation, and man-in-the-middle attacks. Brookhaven National Labs states on its website that passwords are the single weakest point in the standard site-security model. The majority of security attacks are achieved through password access. User authentication that relies on passwords alone fails to provide adequate protection for network systems. Implementation of level 4 assurance by organizations in the US has resulted in a 50% reduction of such attacks.

Similar implementations using such frameworks are widely utilized around the world by developed and developing countries for health care. For well over a decade these nations have experienced lower per capita expenditures on health care than the U.S.

The Health Information Security and Privacy Collaboration’s (HISPC) Adoption of Standard Policies Collaborative (ASPC) report to HHS’ ONCHIT will establish the minimum requirements for authenticating users accessing electronic health records. Those minimum requirements are not two-factor or three-factor authentication via a smart card, an encrypted token or one-time password device, but rather Level 2 assurance via a “strong” password. I have concerns that stronger authentication methods are not being adopted that would assure the privacy and confidentiality of medical records by having a higher level of assurance that the person accessing the information is who they claim to be and they have a genuine need to view and access the record. It is clear that HISPC is willing to sacrifice security in order to expedite the exchange of health information.

I have other concerns that HIEs will be architected only to meet the minimum standards of medium assurance rather than implementing strong authentication to have a very high level of assurance that the person accessing our health information is who they claim to be and have a genuine need to access the information. Any identity system requires strong authentication for the protection of personal information, especially when it is as sensitive as medical information, and consumer privacy.

It is my hope that the HIT Policy & Standards Committees will ensure our citizens personal health information is protected by mandating at a minimum two-factor authentication into any network containing electronic health records for the protection of consumer privacy.

John Cervantes said...

The best way to deploy electronic medical records in a cost and effective manner is to have a central records center operated by an independent agency, under strict government oversight. Such body should be able to implement an open standards database accessible through the Internet in a secure manner, the same way as we access our bank accounts or e-mail.

The health record form (based on open standards, not proprietary) could then be easily created and updated by any patient and her/his authorized healthcare providers, using both the patient's personal ID key (i.e. RSA key) and the provider's ID key. That way both the patient and the authorized providers can access the record during every visit, update it and keep track of it as needed, in a reliable and very secure manner. Any new entry or update would have the date and the name of the provider who entered it and the patient could decide whether to approve it or not and which parts of his/her records would be available to other providers or government agencies. There is no need to buy expensive software or hardware platforms.

Most doctors and healthcare providers already have Internet connection and computers at their offices and most patients have them at home too. And most web browsers are capable of encryption and secure authentication (i.e. Firefox), so it would be easy to manage the records without any interoperability issues at all.

It would save tens of billions of dollars of the stimulus package that should be better allocated to improve quality and coverage of healthcare where it is most needed. Those institutions that for any reason purchased expensive applications would also save many millions in current and future costs of technical support and license upgrades.

Open standards and open source are the most universal and scalable platforms to support the current and future developments and needs of electronic medical records worldwide and the myriad applications that can be used for health prevention and management, as well as for research and policy making.

Unknown said...

In health informatics and most contexts, EMR and EHR (electronic health records) are used synonymously[1], but many people define an EMR as just the physician interface and EHR including both a physician and patient interface.

Unknown said...

There is also a huge gap in what informatics training programs are teaching and what is needed to train people to work on and with the advanced health care IT standards needed to provide semantic interoperability. Given the investment that NIH/NLM is making, it doesn't seem unreasonable to create some standard curriculum which can provide that level of expertise needed beyond the basic introduction to standards and controlled terminologies which are now provided.Berkley Water Filters

Nancy Harris said...

With various health care reform bills floating around both the House and the Senate, President Barack Obama is pulling out all the stops to get the votes that the bill needs, which is good news for the public option. President Obama continues to rally behind health care reform. I am really concerned that the fiasco of this reform may make Obama a one-term president.