The November HIT Standards Committee Meeting

The two major agenda items of the November HIT Standards Committee were the lessons learned from the Implementation Workgroup activities and security testimony from multiple industry experts in four panels - Stability/Reliability, Cybersecurity, Data Theft/Loss/Misuse, and Building Trust.

We began the day with an overview of the 10 major themes from the Implementation Workgroup testimony. We discussed the ways in which these themes could inform our future work in the upcoming months as we review comments on the interim final rule, consider incremental improvements to the standards supporting meaningful use in 2013/2015, and we consider tools/technologies/education to enhance adoption.

Specific action items include:

*Work hard on vocabularies and try to get them open sourced for the entire community of stakeholders.

*Consider adding a simple REST-based transport method for point to point exchanges between organizations. We already have recommended SOAP (as constrained by HITSP Service Collaborations) and REST as approaches to transport. At present there is no specific guidance as to how REST shoud be used from a policy or technology standpoint.

*Work jointly with the HIT Policy Committee to establish a privacy framework that enables us to constrain the number of security standards.

*As we continue our work, try to use the simplest, fewest standards to meet the need.

*Continue to gather feedback on the 2011 exchanges (ePrescribing, Lab, Quality, Administrative) to determine if there are opportunities to enhance testing platforms and implementation guidance that will accelerate adoption.

Interestingly, several people approached me at the meeting to discuss rumors that the HIT Standards Committee would significantly change the existing 2011 recommendations based on the Implementation Workgroup activities. The purpose of the Implementation Workgroup was to gather feedback, create a set of guiding principles, and ensure we have the best process going forward to ensure the most appropriate standards are chosen. The Implementation Workgroup activities including the blogs, the testimony and hours of discussion have raised awareness of all committee members that will support our future decision making, not revision of the work of the past.

The security testimony was extremely valuable. Here are some of the "Gold Star" ideas

Stability/Reliability

* Many existing clinical products do not provide the functionality needed to support security best practices

* Systems with FDA 501k certifications are often managed by vendors and lack updated operating systems and anti-virus software

* The least important systems are often those which are compromised and provide hackers access to more important systems.

Cybersecurity

*Security is journey and many healthcare organizations are not well resourced to implement security best practices.

*Security awareness among providers is low.

*We should focus on "Evidence-based security policies and practices". Per the testimony, some dogma in security is not supported by evidence i.e.

- Passwords longer than about 5 characters do not reduce risk in any meaningful way

- Encryption of data at rest in databases and other large systems in data centers typically provide little additional security protection

Data Theft/Loss/Misuse

*Portable devices/Wireless are a major vulnerability

*Audit logs from vendor systems may be insufficient to detect misuse of data

*Role-based security is important. Roles vary in institutions, so it will be challenging to create a one size fits all standard.

Building Trust

*Security should be layered to create an in depth defense

*Data integrity is important to protect patient safety (ensure the record is accurate)

*We need baseline policies and standards for Authorization, Authentication (including identity proofing), Access Control, Audit

A great meeting. I look forward to our next steps - reviewing the interim final rule in mid December based on all the testimony and learning we've had to date.

Guiding Principles for the HIT Standards Committee

In the past few weeks, the HIT Standards Committee has gathered a significant amount of written and in person testimony from standards stakeholders. We've run the FACA blog and multiple personal blogs.

On Thursday November 19, we'll present a complete distillation of everything we've learned but there are several recurring themes can could be called Guiding Principles. Just as HITSP was guided by Harmonization Readiness principles to choose standards that were good enough, the HIT Standards Committee has a been told to think about the following whenever it recommends standards:

• Keep it simple; think big, but start small; recommend standards as minimal as possible to support the business goal and then build as you go

• Don’t let “perfect” be the enemy of “good enough”; go for the 80% that everyone can agree on; get everyone to send the basics (medications, problem list, allergies, labs) before focusing on the more obscure

• Keep the implementation cost as low as possible; eliminate any royalties or other expenses associated with the use of standards

• Design for the little guy so that all participants can adopt the standard and not just the best resourced

• Do not try to create a one size fits all standard, it will be too heavy for the simple use cases

• Separate content standards from transmission standards; i.e., if CCD is the html, what is the https?

• Create publicly available controlled vocabularies & code sets that are easily accessible / downloadable

• Leverage the web for transport whenever possible to decrease complexity & the implementers’ learning curve (“health internet”)

• Position quality measures so that they will encourage adoption of standards

• Create Implementation Guides that are human readable, have working examples, and include testing tools

We'll refine this during our meeting on Thursday and the end result should be a polished list of guidance for all our future work.

An Open Access Scheduling Model for Management

Wouldn't it be great if we could solve today's problems today?

Every day I receive over 1000 emails. A small number of those emails are complex problems that require multi-stakeholder coordination. Although I can try to solve such problems via email, my rule is that if more than 3 rounds of emails go back and forth about an issue, it's time to pick up the phone or have a meeting.

However, scheduling a meeting among senior managers in a large organization can take a month. By that time, the issue has either become a much larger problem or the opportunity to rapidly move forward has been lost. So much for nimble decisionmaking.

How can we improve this situation?

I suggest we learn from the Open Access Scheduling model used in primary care.

Patients who are sick today do not want an appointment in three weeks - they need to be seen today.

In the past, clinicians noted they were so busy that their calendars were backlogged weeks to months.

But wait - if you see 15 patients a per day, a backlogged calendar does not imply you are seeing more patients. Why not work through the backlog and then leave 50% of the calendar open each day for the patients who are sick each day - solve today's problems today.

The same thing can be applied to our administrative lives. Each day there are challenges created by customers, employees, and the external world. If we left 50% of our calendars open each day for solving today's problems today, we would reduce stress, enhance communication, and improve efficiency. We could even develop metrics for senior executives which measure "time to problem resolution" as a means to drive incentive compensation.

Today, we pay doctors for quantity of care delivered instead of quality. Healthcare reform is intended to change that. Administratively, we should be paid for the problems we solve, the chaos we eliminate, and the processes we improve.

Open Access Scheduling for Management - In December, I'll give it a try and report back how it works.

CatDog

When my daughter was growing up, she watched a program called CatDog about the seamless integration of the two animals. "Their" life required constant communication and mutual understanding of the underlying cat and dog cultures.

During the work of the last 4 years, the "healthcare informatics crowd" has been labeled the cats and "internet/health 2.0 crowd" has been labeled the dogs.

At times, I've even been called the leader of the cats.

On Friday November 13, during an HIT Standards Committee Implementation Workgroup call, we reviewed the FACA blog and related postings on the blogs of Sean Nolan, Wes Rishel, Adam Bosworth. One of the participants commented that David Kibbe and I wrote blogs that converged on the same ideas. This is an achievement worth reflection.

Harmonization is the decision by consensus of a path forward that is good enough for everyone.

Compromise is the acceptance by everyone of a path forward that leaves everyone equally unhappy. If often occurs when two stakeholder groups become fatigued enough to put their differences aside.

In my blog this week, I suggested we change "No, because" to "Yes, if" and define the right tool for the job, recognizing the roles of CCD/CDA and CCR/PDF. David Kibbe did the same on the FACA blog.

Also, on the FACA blog, a posting called this right tool for the right job approach "a mistake". The comment received 48 supporting votes and 45 opposing votes - a nearly perfect balance between two points of view.

I think this means we got to 90% of the answer through harmonization and the last 10% through compromise. At the November 19 HIT Standards Committee meeting, we'll discuss all the lessons we learned in the Implementation Workgroup that led us to develop guiding principles such as embracing the simplest standards needed for the specific business need. Yes, there is a role for CCD/CDA and CCR/PDF.

David - welcome to CatDog. We'll have a great life together.

Cool Technology of the Week

Recently, Harvard Medical School implemented a secure password reset architecture that is my cool technology of the week.

Forgotten password processes typically work by asking the user to answer a secret question. However, the answers to such questions may be weak or may be findable on social networking sites, which often disclose detailed personal information (favorite vacation spot, favorite food, favorite car etc.)

We elected to use a two factor approach - something that you have and something that you know. Since more the 90% of Harvard faculty, staff, and students have mobile devices, we elected to send a PIN code for password resetting to their cell phones.

The technology is very simple. Each telephone carrier has a way to transfer an email message to a text message via a normal convention such as (phonenumber@phonecarrier.com). We send a random code via email(translated to SMS via carrier) to the user's device which is validated when the user enters the code into our site. The codes are time sensitive, which reduces the possibility of compromising a code.

All password resets at Harvard Medical School now require this approach. We implemented it for 22,000 users and have thus far received a dozen calls to the help desk. Here's the email I sent to the community about it.

"To the HMS Community:

To comply with new Massachusetts data protection regulations, which take effect on March 1, 2010, we must make several changes to our policies and technologies. The new regulations require all HMS mobile devices be encrypted; govern how employees are allowed to keep, access and transport records containing personal information outside of business premises; require that an institution knows where every computing system -- including laptops and portable devices -- containing personal information is located; and require reasonable monitoring of systems for unauthorized use/access to personal information. You can read more about the new regulations on my blog.

To ensure the integrity of all personal data, we will be begin making some of the changes now. Effective today, password resetting at HMS includes an optional feature called SafeCode, which we have piloted over the past year. Whenever a password reset is requested, a code to complete the reset will be sent to your cell phone to protect your account.

Over the next month, we'll complete an evaluation of products that will help ensure the safety of laptops and other mobile devices. We'll keep you informed of software applications and services that will be available to the HMS community to ensure compliance with the new regulations.

If you have questions about any aspect of these regulations, please see the Harvard Enterprise Information Security Policy or contact the Help Desk. Thank you for your support of our efforts to further protect the privacy of personal information.

Sincerely,

John D. Halamka, MD

Chief Information Officer

Harvard Medical School"

The China Study

As readers of my blog know I'm a vegan, a locovore, and grow my own vegetables organically. I avoid caffeine and exercise by climbing, cycling, hiking, kayaking, and skiing.

As a vegan, I cannot get B12 from vegetables, so I take a B supplement.

Living in the Northeast, wearing sunscreen while outdoors, and working indoors during the week, I do not produce all the Vitamin D my body needs. Of course, this is just an artifact of a modern office-bound existence. I take Vitamin D each day. Vitamin D toxicity can be problem, since it is a fat soluble vitamin retained in the body (along with Vitamin A,E and K), so more is not better. Take the amount recommended by your doctor.

There are many books about healthy living, but the one book that incorporates all the elements that I have found to work for me is The China Study by T. Colin Campbell. The book examines the relationship between food and health, incorporating data about cancer rates, heart disease, diabetes and their prevalence among different societies with different diets. The data is compelling - an all vegetable, high fiber diet markedly reduces and reverses the lifestyle diseases which afflict our affluent industrial society.

I highly recommend the book, as well as the work of Michael Pollan.

You'll discover that the food industry is not our friend - highly processed, high calorie foods, rich in high fructose corn syrup are killing us, but making profits for the agribusiness, the meat industry, and food packaging conglomerates. The food industry lobby is one of the strongest in Washington, making the status quo very challenging to change.

Healthcare reform starts at home - read The China Study and decide for your self.

Try an organic, locally grown, all vegetable diet with minimal Vitamin B12 and Vitamin D supplements and no caffeine. Your body will thank you for it. I realize that such a diet is not possible in some urban locations where food choices may be limited to convenience stores. I know that fresh vegetables may be more expensive per calorie and thus unaffordable.

My hope is that by putting more government resources into diet education and support for the right foods, we'll be able to eat our way back to health, a better economy, and higher quality lives.

The Magic of Middleware

As I mentioned in my blog about Certification verses Meaningful Use, there will be 9 data exchanges required in 2011

ePrescribing

Sending reminders to patients

Checking insurance eligibility

Submitting claims

Providing patients with an electronic copy of their record

Providing patients electronic access to their records

Capability to exchange key clinical information (e.g., problem list, medication list, allergies, test results) among care providers and patient authorized entities

Capability to submit data to immunization registries

Capability to provide syndromic surveillance data to public health agencies

It's unlikely that clinician offices and hospitals will rip and replace existing systems. It will take several years for vendors to create upgraded software versions which support all these exchanges and for organizations to deploy them. That means that in the interim, it's likely that we'll need middleware at the border of organizations which translates legacy standards and proprietary vocabularies into the data exchange standards which will be required by the December interim final rule.

Over the past few months, I'm met with many middleware companies. Here are the ones to watch:

Emdeon - provides clearinghouse services and analytics. Although it typically has focused on X12 administrative transactions, its infrastructure could easily be leveraged to transport clinical content

Surescripts - provides the eRx transactions among payers, providers, and pharmacies. Although this infrastructure transports chiefly NCPDP content, it could easily be leveraged to transport other types of clinical content

Intersystems - provides an integration engine for communication within and between enterprises

Edifecs - provides data transport and data mining/business intelligence services on transported data

Orion Healthcare - provides software which maps various standards from one to another and provides transport

Health Language Inc. - provides vocabulary translation services

Intelligent Medical Objects - provides vocabulary translation services and tools which enable clinicians to translate free text into controlled vocabularies.

Visionshare - provides transport of data to Medicare (CMS) using the internet and not a proprietary network. You can imagine a company like Visionshare providing a secure front end from clinician offices to the Nationwide Health Information Network.

Covisint - originally provided supply chain integration for the auto industry, but is now expanding into healthcare transactions such as automated clinician credential verification for the AMA.

Although at some future point, EHR software vendors will include standard content/vocabulary interfaces and the NHIN (aka "the Healthcare Internet) will provide secure transport, these middleware companies will help us with the glide path from the present to the future. I'm confident there will be disruptive innovation in the middleware market, including the notion of using PHRs such as Microsoft Healthvault and Google Health as hubs to collect patient data and exchange it as the patient wishes.

It's hard to predict the future, but if HIPAA administrative simplification provides us with lessons learned about adoption and implementation, middleware vendors will be very important in the years ahead.