The HIPAA Privacy, Security, and Enforcement NPRM

On July 8, HHS released the Notice of Proposed Rulemaking on HIPAA Privacy, Security, and Enforcement. It will be published in the Federal Register on July 14.

What are the key points of these proposed HITECH HIPAA Modifications?

1. The rule updates the definition of Business Associates to include health information organizations, eRx gateways or other entities that provide protected health information transmission services to a covered entity and require access on a routine basis to such information. It also includes any Personal Health Record vendor acting on behalf of a covered entity. Note that Google and Microsoft act on behalf of the patient, not the covered entity, so this proposed rule does not change the status of Google Health or Microsoft HealthVault as they are currently structured. Finally, the rule also includes any subcontractor that creates, receives, maintains, or transmits protected health information on behalf of a Business Associate.

2. It stipulates that Business Associates must comply with all requirements of the HIPAA Security Rule. They may use or disclose protected health information as permitted by a business associate agreement or required by law. They may not use or disclose information in violation of the HIPAA Privacy Rule. They must provide electronic access to data to the covered entity, individual, or individual’s designee.

3. Business associates must enter into formal business associate agreements with subcontractors (subBAs). They must take corrective action if they learn of subBA noncompliance. They are liable for violations by subBAs (assuming that subBAs are acting within the scope of their agreement)

4. Covered entities and their business associates must obtain authorization for the sale of protected health information (even if use/disclosure is otherwise permissible), except:

Public health, treatment, payment, sale of Covered Entity/Business Associate activities on behalf of the Covered Entity, to an individual, required by law, or if remuneration is reasonable, cost-based fee to cover the cost of preparation/transmittal (includes research).

5. Covered Entities and their Business Associates must provide access in the electronic form and format requested if readily producible, otherwise in a readable electronic form and format as agreed to by the Covered Entity and individual (such as a PDF). They must provide an electronic copy to designee, if the request is in writing and clearly identifies designee and where to send the copy. They may charge for labor and media (if the copy is provided on physical media).

6. Covered Entities and their Business Associates must agree to requests to restrict disclosures to health plans if such disclosure is not otherwise required by law and the protected healthcare information relates to services for which individual (or 3rd party other than health plan) has paid the Covered Entity in full.

7. Other areas of proposed rule include

Marketing - does not require authorization if the communication discloses the fact that the covered health care provider is receiving financial remuneration in exchange for making the communication and provides the individual with a clear and conspicuous opportunity to elect not to receive any further such communications.

Fundraising - strengths provisions for patients to opt out of fund raising activities.

Compound research authorizations - allows combining an authorization for the use or disclosure of protected health information for a research study with another authorization for the same research study, with an authorization for the creation or maintenance of a research database or repository, or with a consent to participate in research.

Student immunization records - allows oral agreement of parents to authorize release of immunization data to schools.

Deceased individuals - disclosure requires consent of decendent's personal representative for 50 years following the date of death.

All of these additions are very patient centric and seem reasonable. It will be interesting to see the comments on this NPRM over the next 60 days.

Cool Technology of the Week

I recently had the pleasure of sitting next to EPA Deputy Regional Administrator, Ira Leighton, on a flight from Washington to Boston. We had a great discussion of the emerging technologies the EPA is using to create green, sustainable infrastructure.

You'll find an overview of their energy management techniques online, highlighting numerous regional efforts.

Massachusetts leads the way in many demonstration projects, creating zero energy waste water treatment plants. What does that mean?

Using specialized energy efficient pumps and values, photovoltaic solar energy sources, and wind power, these treatment plants are completely energy and carbon neutral.

If plants which treat wastewater via anaerobic digestion captured the Biogas released (mostly methane), an additional 340 megawatts of power could be generated.

Carbon neutral, energy neutral, water treatment that could even become an energy source via Biogas production. That's cool!

Morning Walks with my Wife

From Spring until Fall my wife and I rise with the early morning light of dawn (my blog next Thursday will define such seemingly ambiguous terms as dawn, dusk, twilight etc.) and walk 3 miles around Lake Waban at Wellesley College.

We have our ritual - we park at the College Club and start walking at the south end of the lake. We check out the family of swans that lives on a protected point to watch the progress of their groaning cygnets. We walk through the Hunnewell estate (pictured above) and it's "Dr. Seuss" forest of topiary trees and Japanese tea house. We watch for the purple martins feeding their young in a lakeside meadow. I look for the emerging mushrooms on the West side of the lake so I can prepare for the day's calls from poison control about the mushrooms kids are likely to ingest.

We check out the status of Catbird, Oriole and Robin's nests, watch the young broods of ducks feeding in the marshlands, and look for muskrats carrying greens to their lodges.

Most importantly, it's a quiet time to connect, reflect on the goals of the day, the state of our family, and plans for the future. In the quiet of the morning mist and blue light of sunrise we can solve every problem and address every concern without the distraction of a screen, a blackberry, or undone house chores.

Having this time is really important. I'm convinced that 90% of stress in life is a result of miscommunication - waiting to speak instead of listening. Walks are great way to listen - other than than birdsong, the splash of fish, or buzz of a dragonfly there are no distractions. Your muscles are moving, your brain is clear, and stress is low. A few years ago, I wrote about conflict resolution and suggested figurative Walks in the Woods.

30 years of walking with my wife has led to a romance, friendship, and partnership that is as strong as when we first met in the Summer of 1980. Last week, the Boston Globe wrote about the language of marriage. Our walks have been the place where that language has blossomed.

So find your own Lake Waban and make the most of your relationship, footstep by footstep.

Standards for Naming Medical Devices

Medical devices are an increasingly important part of care delivery. Discussion of medical device issues has become part of the mainstream press such as last week's Boston Globe article about their security.

A year ago, I wrote about a breakthrough in medical device interoperability standards for content, vocabulary and transmission.

Important work on device interoperability continues in IEEE, IHE, and the Continua Health Alliance.

As devices increase in number and complexity, the FDA wants to ensure devices are tracked with a standardized device nomenclature facilitating recall workflow and enabling easier patient followup over the lifecycle of the device. It should be simple to identify who has what kind of device and which subcomponents have been incorporated into the device.

What are the evolving standards for naming and identifying medical devices?

There are two popular approaches.

The first is the Universal Medical Device Nomenclature System (UMDNS), which is a standard international nomenclature and computer coding system for medical devices. It contains 8,842 unique medical device concepts and definitions (preferred terms), along with an additional 15,702 entry terms to facilitate classifying of biomedical information. UMDNS contains explicit relationships among the nearly 25,000 terms, including relationships among related devices (i.e. component devices versus the overall system). The National Library of Medicine has incorporated UMDNS into the Unified Medical Language System (UMLS)

The second is the Global Medical Device Nomenclature (GMDN). Its creation was mandated by the European Commission in order to provide the necessary tools to carry out many of the obligations required by the Medical Devices Directives. Its scope includes:

1. to give a common generic description for every general term that describes characteristics of a medical device. This is to be used for identifying similar devices to those involved in an adverse incident report;

2. to identify a device, using the generic term, for having been awarded a specific design or other certificate;

3. to serve as a basis for E-commerce – to provide a generic basis for purchasing individual types of manufactured devices, by establishing a heading for comparison of products from different manufacturers.

GMDN notes that UMDNS has been given special consideration within the GMDN. When a term selected from the UMDNS has been used as the preferred choice to create a GMDN term, the exact code of the UMDNS term has been retained.

Although the two systems share a significant common core from a past version of UMDNS, I have been told that the two have drifted apart over time.

Going forward, it would be helpful to have a single nomenclature for all devices and I expect that the HIT Standards Committee will be asked to recommend a single standard to support FDA regulatory needs.

Having a consistent device nomenclature supports quality, safety, and efficiency improvements such as

* Streamlining integration of EHRs and PHRs with home monitoring devices.

* Enhancing reporting from specialist EHRs to device registries (pacemakers, hip joints etc.)

* Reporting of adverse events from the EHR to Medwatch/FDA.

I look forward to the work ahead, harmonizing device naming to enable new functionality and provide increased safety monitoring for all the medical devices we use.

A Do it Yourself Meaningful Use Update Letter

In January, I wrote a Do it Yourself presentation on meaningful use for folks to use with their Board and Senior leaders.

Now that its July, there is a different kind of Do it Yourself document - a letter to your Board and Senior leaders outlining your plan and timeframe for certification, measurement of meaningful use, and collection of your stimulus funds. We cannot be completely certain about every detail, so its important to state what you do not know. The reason to start this communication now is that CFOs may be including stimulus dollars in budgets, not realizing that the timeframe to achieve the stimulus is still unknown.

Here's what I used.

"Dear Senior Leaders:

I want to update you on the effort in Washington to accelerate adoption of electronic health records by providing stimulus dollars to eligible professionals and hospitals.

There are three important regulations associated with this effort - the rule on standards, the rule on meaningful use, and the rule on certification. Electronic Health Records must include data standards in order to exchange data. To improve quality, safety, and efficiency, electronic health records must be used in meaningful ways. Products and self built systems must be certified as having the capabilities to support meaningful use and the standards.

Where are we are on the journey?

On June 24, the final temporary certification rule was published in the Federal Register.

It outlines the process for organizations to become authorized testing and certification bodies, but it does not provide the certification criteria. Those will be part of the final meaningful use rule.

On July 1, organizations began applying to serve as testers and certifiers. The timeline for approval of these organizations is unclear but likely it will be fast.

The Certification Commission for Health Information Technology is likely to be the first organization authorized based on its extensive past experience. It is likely that several organizations will eventually be authorized. We'll have to choose one to certify our suite of software, since it is a combination of built and bought systems.

The final rule on meaningful use has not yet been published, although it is likely to be completed by the end of July.

As soon as it is is published, we'll do a gap and risk analysis of our inpatient and ambulatory systems, just as I did with the interim rule.

Many organizations found aspects of the interim rule challenging for FY11 implementation. Meaningful use is not a cakewalk, it is a stretch goal for just about every organization. You should not presume that clinicians and hospitals will be able to use existing software and processes to achieve meaningful use. There will need to be upgrades and workflow change.

I've been working very aggressively to prepare us as much as possible, but until the final rule is issued, we cannot know how close or far we are.

Once the final rule is issued and certification bodies are authorized, we will proceed with certifying our inpatient and outpatient systems. If the certification process identifies gaps in functionality, we will need to enhance those systems to fill the gaps.

Once the systems are certified, then we'll need a significant education program for our clinicians, followed by a 90 day test period during which we document the use of all systems by our clinicians to achieve the thresholds required to demonstrate meaningful use.

As to timeframe, I am guessing August before certification bodies are ready, September for certification of our applications/education of our clinicians, October through December to document meaningful use, followed by initial stimulus payments in January.

If there are gaps in EHR or Health Information Exchange functionality we need to remediate, it will be later.

I've asked ONC if organizations can use a 90 day demonstration window before their systems are certified (since no software in the country is yet certified - all previous certifications have been declared void). ONC responded that the final rule will provide this clarification.

Thus, the bottom-line is that no hospital in the US yet has any idea when they'll receive stimulus payments, making inclusion of such payments in the FY11 budget very problematic.

I'll keep you updated over the next weeks and months. If there are ways to accelerate stimulus dollar payments by adding additional temporary or permanent resources, I will let you know.

John"

Feel free to use this as a template for your own letters.

Cool Technology of the Week

Last week, the Department of Homeland Security released its Draft National Strategy for Trusted Identities in Cyberspace

The strategy includes 4 goals.

Goal 1: Develop a comprehensive Identity Ecosystem Framework

Goal 2: Build and implement an interoperable identity infrastructure aligned with the Identity Ecosystem Framework

Goal 3: Enhance confidence and willingness to participate in the Identity Ecosystem

Goal 4: Ensure the long-term success of the Identity Ecosystem

Discussion and comments are online.

Such an ecosystem could address

*the multiple passwords problem we all face in our organizations

*the challenge of maintaining Public Key Infrastructure locally or regionally

*the complexity of securing the endpoints in health information exchange

*digital signature as needed for many compliance requirements

*federated authentication requirements among collaborators

An ecosystem of identity management that simplifies authentication in our local, regional and federal applications - that's cool!

Vegan Comfort Foods

What foods bring back positive memories of your childhood, your parents, or times when you've been particularly happy. Grilled Cheese and Tomato Soup? Brownies? Green Bean Casserole with crunchy onions?

In our household, we have numerous vegan comfort foods that we use for celebrations or to warm up after a day outdoors. My vegan comfort foods are:

*Homemade Vegan Curry

*Homemade Yakisoba

*Homemade Vegan Pizza

*Homemade Split Pea Soup from scratch

*Homemade Vegan Pot Pie

Their recipes are below:

Vegan Curry

1-2 teaspoons peanut or avocado oil

1 large onion, chopped

1 tub fresh tofu, firm or extra firm, cut into bite size cubes

5 large carrots, sliced into thin rounds, boiled or or steamed until slightly tender

2 large Yukon Gold or White potato, diced and boiled or steamed until slightly tender

1 3.5oz package Golden Curry mix (medium hot)

http://www.asianfoodgrocer.com/product/golden-curry-med-hot-3-5-oz

6 cups water (doubles the water called for in the package, but this reduces the sodium overall, and increases the curry gravy)

2 tablespoons non-GMO organic cornstarch

Saute the onion in the oil, then add the tofu, browning slightly. Add carrots and potatoes and saute for a few minutes. Add 5 1/2 cups water, add the curry paste and heat to boiling. Reduce heat and simmer to thicken. Mix cornstarch in remaining 1/2 cup water and add slowly to the mixture. Serve over hot rice, optionally garnish with salt-pickled ginger strips. Goes well with steamed broccoli or other green vegetable of choice.

Yakisoba

Use fresh yakisoba noodles from an Asian market, or substitute any chow mein noodle available. Stir fry in a wok or large frying pan, in 1 tablespoon of peanut or avocado oil, any 2 cups selection of finely chopped onions, celery, and carrots, plus peas and corn as desired.

If using the fresh yakisoba noodles, add them to the stir fry until soft and lightly browned, adding the flavor packets or use soy sauce to taste.

Vegan Hawaiian Pizza

1 fresh refrigerated Multigrain pizza dough from Whole Foods Market (or substitute any preferred pizza dough, commercial or homemade)

1/4 cup low sodium marinara or pizza sauce

1/3 package Daiya mozzarella style cheese substitute

1/4 to 1/2 package Lightlife Smart Bacon, chopped 

1/2 can organic pineaple chunks, or fresh pineapple as available

1 small can sliced black olives

cornmeal for base to prevent sticking

Preheat oven to 425 degrees F

Fresh dough should be left to warm slightly outside the fridge before you manipulate it.

Sprinkle cornmeal onto baking sheet. Take fresh dough and gently make into a round flat form. before any areas that are too thin happen place the dough on the cornmeal, and continue to stretch the dough out into a uniform round to fill the sheet. (of course, if you are skilled in spinning dough, go for it).

Thinly coat the surface with the tomato based sauce, then sprinkle Daiya uniformly over surface, and follow with chopped Smart Bacon, pineapple and olives. Add green bell peppers if desired.

Cook pizza for 25 minutes or until properly melted and browned. Slice and eat.

Vegan Split Pea Soup

1 teaspoon avocado oil or preferred vegetable oil

1 pound dried green split peas

6 cups water, add more as needed

one medium onion, chopped

three medium carrots chopped

one bay leaf

3 vegan no-salt added bouillon cubes (Rapunzel)

In soup-pot, saute onion in oil over medium heat. one softened add carrots and saute for a couple of minutes. Add dried peas, water, bouillon, and bay, bring to a boil. Reduce heat, cover and simmer for approximately an hour until peas are completely soft. Cook longer if needed, and add more hot water if too thick. Remove bay leaf and serve.

Vegan Pot Pie

2 Whole Wheat pie crusts (per pie) - find them in the freezer section of your local market, or if you are able to make ahead of time from scratch, that is always great too

1 large Yukon Gold or White potato, diced and parboiled until slightly tender

1 cup fresh or frozen organic peas

1 cup fresh or frozen organic corn kernels

1 cup thinly sliced rounds of carrots, parboiled or steamed until slightly tender

Optional variations include green beans or broccoli as desired to taste.

1/2 stick Earth Balance vegan margarine

approx 3/4 cup unbleached white flour

vegan no salt bouillon powder (or vegan no salt bouillon cube) to taste

approx 1/2 cup soy milk, unsweetened or sweetened (substitute vegetable broth or another kind of nut milk as preferred)

1 tablespoon soy sauce or Braggs Aminos

powdered, or fresh herbs if in season, including thyme, rosemary and sage

Preheat oven to 375 degrees F. Remove crusts from freezer to allow them to become flexible. If using frozen vegetable allow time to approach room temperature in advance. Pre-steam or parboil the carrots and potato. In a large saucepan, melt the margarine under medium heat and begin to stir in the flour until a gravy paste is formed. Sprinkle in vegan bouillon powder to taste. Slowly wisk in the soy milk, adding as much as is needed to create the thickness of gravy desired. add soy sauce and herbs. Add remaining vegetables, stirring to coat all the vegetable surfaces.

Pack the vegetable mixture spoonful by spoonful into one pie crust, and mound them in the center, creating a raised center. Rub water allow the rim of the crust, then tip over the second crust on top of the filled pie, and press the two rims together firmly to create a seal. Cut several slices in the top crust to allow for steam to vent.

Place the pie on atray or foil to catch any bubbling over gravy. Set into into the oven, and cook for 45 minutes approximately. It is easy to plan ahead and make two pies so that you have leftovers - they taste great rewarmed the next day.

You can add a Gardein vegan meat substitute if you wish to create a meat textured pie.