Wednesday, February 29, 2012

The February HIT Standards Committee Meeting

The February meeting of the HIT Standards Committee included an in depth discussion of the Stage 2 Standards and Certification NPRM, updates from the projects in our 2012 HITSC work plan, and an overview of HITPC plans for 2012.   It was one of the highest energy, most optimistic meetings we've had.

We began the meeting with a review of the Standards and Certification NPRM by Steve Posnack and Doug Fridsma.  As I noted in my recent post about the NPRM, most of the HITSC "Summer Camp" recommendations were accepted.   Highlights from their presentation:

*In Stage 2, Certified Electronic Health Record Technology (CEHRT) will be "just enough" to support the functions documented during attestation.     In Stage 1, certified technology  was required for menu set items that were not part of an organization's attestation i.e. even if you did not plan to submit syndromic surveillance data, you needed to buy that technology anyway.  
*Every eligible professional/eligible hospital/critical access hospital (EP/EH/CAH)  must have a "base EHR"  that includes the ability to capture demographic data/patient history/problem lists, provide decision support, support provider order entry, record data needed to report quality, exchange electronic information, and protect confidentiality
*In addition to this base EHR, every EP/EH/CAH should have the EHR technology with capabilities for the MU core and menu set objectives they seek to achieve.  These can be a collection of modules or a complete EHR.
*Clinical Quality certification includes the ability to capture, calculate, and report clinical quality measures.   It's completely fine to use certified EHR technology to capture the data, then export it to another certified technology for calculation and reporting.   This is what BIDMC does today and to achieve it we had to do self-certification.   Now, anyone can use this approach, assembling certified components from vendors.
*The Standards specified in the 2014 Criteria include
  Content - Consolidated CDA for summaries, NCPDP for eRx, HL7 2.5.1 for public health
  Vocabulary - CVX for immunizations, SNOMED-CT for problem lists, ICD10-CM for diagnoses, LOINC for labs, RxNorm for meds, OMB, ISO639-1 for spoken language, CDA for cancer submissions 
  Transport - Direct Specifications and NwHIN Exchange
  Security - FIPS for encryption, NTP for time
*The MU Stage 2 Menu set includes  several functions with evolving standards such as Imaging display in EHRs, transmission to clinical registries, cancer case information, and family health history.  That's why they are menu set

Initial reactions from the HIT Standards Committee included

   TLS should be listed as an acceptable transmission standard for data exchange with patients
   Organizations with internal pharmacies should be allowed to use HL7 for eRx of discharge meds
   Quality reporting XML needs additional work on content, vocabularies, data model
   Imaging in MU should be clarified (view/access/transmit in an EHR or via an EHR)
   Allergy terminology should be included in the Standards Final Rule - RxNorm for meds, NDF-RT for drug classes, SNOMED-CT for non-meds
   Our focus should be the adoption of SNOMED-CT as the clinician facing vocabulary, not ICD-10
   XDR as a transport standard should be optional, as was defined in the Direct Project
   Patient Portals - Direct should be used with patients i.e. EHRs should be able to "cc the patient"
Next, Betsy Humphreys presented the Vocabulary and Code Sets update  focusing on SNOMED0CT, LOINC and RxNorm tools.  A new API to access cloud hosted SNOMED-CT resources from NLM will be available in March 2012.

Next, Dixie Baker presented the NwHIN Power Team review of NwHIN Exchange implementers comments.   Major themes included
*Complexity seems to be related to the specifications themselves which include optionality and layers of references to other specifications (indirection).  There was no specific complaint about SOAP or the need for REST
*No current Exchange implementation is being used for large scale production except the SSA's disability determination project
*The Exchange Patient Discovery architecdture lacks scalability

Next, Paul Tang presented the 2012 HITPC work plan.  He reviewed the 5 year vision with 2011being capture of structured data, 2013 being HIE/Care Coordination, and  2015 being outcomes measurement and improvement.   The 2012 work plan includes
*Q1 discussion of MU Stage 3 principles, review of the MU Stage 2 NPRM, governance, next generation quality measures
*Q2  Quality measure lifecycle, patent generated data, information exchange, EHR safety
*Q3  Stage 3 draft recommendations, long term and post-acute care, governance NPRM
*Q4   Reconcile MU3 Recs with Stage 2 Final rule,  HITSC feedback on stage 3 , Consumer eHealth, Strategic plan revisions

Next, Jim Walker presented the work plan for the Clinical Quality Workgroup.

Finally, Doug Fridsma presented the S&I Framework update identifying the levels of support currently available - Self Service, Limited Service, Strategic Support and Full support.  S&I portfolio of new work includes longitudinal coordination of care, electronic submission of medical documentation signatures and content, query health, and data segmentation for privacy.

Thus, the HIT Standards Committee is on track for our 2012 work plan, the first quarter of which includes 4 projects

a.   NPRM review
b.  Quality measurement
c.  NwHIN Exchange refinement
d.  Value sets/vocabulary mapping

At the next meeting, we'll review our collective comments on the NPRM (gathered from each of our workgroups) and ensure we're on the right trajectory for our next quarter's work on standards governance, Query Health, Radiology Standards and NwHIN supporting components (Provider Directories, PKI).

Tuesday, February 28, 2012

S&I Framework Implementation Guides

Now that the Stage 2 Standards and Certification NPRM has been released, many people are asking me for the detailed implementation guides that will support it.

The S&I Framework website is being enhanced to make their work products easier to find.

In the meantime, here are some of the major S&I Framework resources

Final DNS/LDAP Hybrid Specification for Direct Project Certificate Discovery

Final Data Model for Query/Response to the Provider Directory for electronic service information (implementation guidance forthcoming):

Latest Laboratory Reporting Implementation Guide (will be balloted a second time at HL7 this spring)

Final Consolidated CDA Implementation Guide

We're getting closer to our goal of one stop shopping - a single website with all the content, vocabulary, and transport standards needed for certification.

Monday, February 27, 2012

The Stage 2 Standards and Certification NPRM

On Friday, ONC released the Standards and Certification NPRM, the companion to the the CMS Meaningful Use Stage 2 NPRM.

Here's a bookmarked PDF  - thanks to Tony Panjamapirom of the Advisory Board.

In my view, the NPRM is a work of art, reflecting the work of the HIT Standards Committee, the S&I Framework, and  the multi-stakeholder consensus that fewer, more complete standards with less optionality will lead to greater interoperability.

I've always thought of healthcare standards as having three components -  content, vocabulary, and transport.

For content, the NPRM specifies HL7 2.51 for lab results, syndromic surveillance, reportable lab, and immunizations (HL7 2.31 is not longer an option).   For summary transactions, the Consolidated CDA is the only recommended standard.   (CCR and CCD/C32 are no longer specified).    NCPDP is specified as standard for the exchange of prescription information between entities, including for discharge medications.

For vocabularies, the NPRM specifies a single vocabulary per domain, just as HITSC recommended
Medications - RXnorm
Problem Lists - SNOMED-CT
Discharge Diagnosis - ICD10-CM
Immunizations - CVX
Demographics preferred language - ISO 639-1
Demographics preliminary cause of death ICD10-CM

For transport, two standards are available, consistent with the Direct Project - SMTP/SMIME and SOAP.   A RESTful option is not specified, but ONC recognizes that a RESTful implementation guide may be available in the future.

The 2014 edition of the Standards and Certification NPRM eliminates the "OR", since this standard OR that standard implies that vendors need to support both, creating an "AND" for implementers.  

The ONC NPRM is clear, unambiguous, forward looking and reasonable.   Congrats to the team who wrote it.

Thursday, February 23, 2012

A First Look at Meaningful Use Stage 2

The Meaningful Use Stage 2 Notice of Proposed Rulemaking was released today at 4:15pm.  It represents the work of hundreds of people from every healthcare stakeholder group.   I'll summarize all 455 pages this weekend and give two webinars next week (Greater New York Hospital Association and a special session for the Harvard School of Public Health).  

For now, I recommend you read this summary on pages 156-163 to understand that EPs must meet or qualify for an exclusion to 17 core objectives and 3 of 5 menu objectives.   Also that eligible hospitals and Critical Access Hospitals must meet or qualify for an exclusion to 16 core objectives and 2 of 4 menu objectives.

Other key points from the executive summary:

*For EPs, we propose a set of clinical quality measures beginning in 2014 that align with existing quality programs such as measures used for the Physician Quality Reporting System (PQRS), CMS Shared Savings Program, and National Council for Quality Assurance (NCQA) for medical home accreditation, as well as those proposed under Children's Health Insurance Program Reauthorization Act CMS-0044-P 18 (CHIPRA) and under ACA Section 2701.

*For eligible hospitals and CAHs, the set of CQMs we propose beginning in 2014 would align with the Hospital Inpatient Quality Reporting (HIQR) and the Joint Commission's hospital quality measures.

*This proposed rule also outlines a process by which EPs, eligible hospitals, and CAHs would submit CQM data electronically, reducing the associated burden of reporting on quality measures for providers. We are soliciting public feedback on several mechanisms for electronic CQM reporting, including aggregate-level electronic reporting group reporting options; and through existing quality reporting systems. Within these mechanisms of reporting, we outline different approaches to CQM reporting that would require EPs to report 12 CQMs and eligible hospitals and CAHs to report 24 CQMs in total.

*Stage 2 meaningful use requirements include rigorous expectations for health information exchange including: more demanding requirements for e-prescribing; incorporating structured laboratory results; and the expectation that providers will electronically transmit patient care summaries to support transitions in care across unaffiliated providers, settings and EHR systems.

To understand the themes underlying Meaningful Use Stage 2, here's a great blog post from Health Affairs.

Finally, here's a powerpoint summary you can reuse for your own presentations - no attribution needed.  I've compared each criteria to its Stage 1 equivalent.

Our Cancer Journey (Week 10)

Kathy is now finished with the hardest part of her chemotherapy regimen, Adriamycin/Cytoxan.   Next week, she begins Taxol every week for the next 12 weeks.    Taxol is typically far less fatiguing than AC.    It does have a problem that it is suspended in an solvent that can cause allergic reactions.   Her regimen will include supportive doses of diphenhydramine (benadryl) and dexamethasone (a steroid).

At last week's checkup, Kathy's oncologist could no longer locate the tumor.

Her breast surgeon will order an MRI at the completion of the Taxol cycles and if the tumor is undetectable, Kathy may be able to have to breast conserving surgery rather than a complete mastectomy.

On Taxol, her hair will begin to grow back and her energy is likely to rebound.   However, she is quite concerned about one side effect - a neuropathy causing numbness in her hands.    As an artist, she depends on a keen sense of touch to create her work.

She will no longer need Neulasta (a bone marrow stimulant).   She welcome the fact that Neulasta protected her from neutropenic nadirs/infections but really did not like the bone pain/total body aches that it caused.

So the journey continues and we feel that we've turned the corner.   It's too early to see the light at the end of the tunnel, but at least the tunnel will be easier to traverse for he next 12 weeks.

Wednesday, February 22, 2012

Lessons Learned from China

On Sunday I returned from a week in Shanghai and Hangzhou.   A remarkable trip that included daily meetings with government, academic, and clinical leaders.   What did I learn?

In China, about 5% of the GDP is spent on healthcare per year compared to 16% in the US.    Although there is wide variation in lifespan and other population health measures between rural and urban settings, there are few interesting observations about Chinese healthcare

*It's a single payer, publicly funded system that provides universal healthcare via a 14% payroll tax.
*There is a single national set of regulations and policies applied to all hospitals, clinics, and doctors
*There is a single set of national privacy laws
*Immunization is mandatory for the entire population
*There's a single national healthcare identifier

EHRs are widely used in China, however they are optimized for episodes of care, using templates for capture of selected data elements specific to a disease i.e. hypertension, hepatitis, diabetes.    The volume of patients is overwhelming - in one hospital I visited (Huashan), the  dermatology clinic sees 4000 patients per day.    The Chinese EHR enables clinics to document the basics of a problem specific encounter, facilitating extremely fast throughput.   The downside of this is that there is not a longitudinal problem list, medication reconciliation, or coordination of care to avoid repeat testing.

Health Information Exchanges are beginning and in Shanghai and there's a pilot in place which enables data sharing among the public hospitals.   The Chinese have designed an architecture to support HIE in cities, provinces, and across the country.   The idea is similar to the US NwHIN - a network of networks that shares detailed data on a local level and summary data on a national level.

The Standards for HIE are in the early stage and I have shared the US approach to the Consolidated CDA.   The Chinese believe that using building blocks of XML to specify aspects of the record for transition of care is exactly what they need.

I travel the world and over the past year I've worked on aspects of HIE in Japan, Scotland, New Zealand, Europe, and China.    The problems are the same all over - capturing the data, protecting privacy, creating standards-based summaries, embracing vocabularies, and providing decision support.   It's encouraging to see such progress.  In my lifetime, I believe we will achieve a level of healthcare data capture and sharing that enables us to improve healthcare quality, safety, and efficiency throughout the world.  We'll solve these problems, so that the next generation will reap the benefits.

Tuesday, February 21, 2012

HIE Consent Policy

I was recently asked how consent policy can evolve in Massachusetts to balance patient privacy preferences and the need to coordinate care/optimize population health.    Here's the letter I wrote to stakeholders about it:

"My name is John D. Halamka MD and I serve as chief information officer of Beth Israel Deaconess Medical Center, co-chair of the Massachusetts HIT/HIE Advisory Committee, and co-chair of the  HIT Standards Committee.

In my role as a CIO and clinician, I have been passionate about the need to electronically coordinate care to improve quality, safety, and efficiency.

My wife was recently diagnosed with Breast Cancer and her treatment has relied on the secure exchange of healthcare records with her consent.

The consent model that has worked best throughout the Commonwealth is 'Opt in consent to disclose at each institution'.    This means that no data is exchanged between organizations until the patient consents to the release of information from the sending institution (the place where the data was generated).   This consent stays in force until a patient revokes it.  

A separate consent to view the data at the receiving institution is not needed.   There is no need to re-consent the patient at each episode of care.

We've implemented this model in the New England Healthcare Exchange Network (NEHEN), in the Department of Public Health immunization registry, and in the design of the statewide healthcare data exchange that the MassHealth is building.

Opt in to disclose is straightforward to implement and support.  It's easy to enforce and audit.

The one complexity to this approach is the data sharing of records containing HIV information.    Current and proposed Massachusetts regulations require opt in consent to view at each episode of care in addition to opt in consent to disclose.

Consenting the patient at each release of information is challenging to implement, difficult to audit, and likely impossible to enforce.   Security experts agree that easy to implement, easy to audit, enforceable approaches are much more secure than complex, challenging and cumbersome approaches.

I believe that Massachusetts stakeholders will support opt in consent to disclose at each institution as the single best approach for the release of all healthcare data.   Implementing this uniformly across the Commonwealth will ensure respect for patient privacy is maintained, care delivery organizations can support healthcare data exchange processes, and IT departments can implement the necessary applications.

As a CIO, physician, and husband of a cancer patient, I highly recommend we consider this simplification of current regulation and legislation.


John D. Halamka MD"

Privacy protection will always be a journey, but we need to start somewhere and I hope my comments above seem reasonable.

Friday, February 17, 2012

Cool Technology of the Week

I've recently been asked how healthcare information exchange can simplify compliance processes such as the delivery of electronic summaries, instead of thousands of sheets of paper, to CMS in support of audits.

I've described the ONC Standards and Interoperability Framework (S&I) process several times previously in my blog.  S&I convenes stakeholders to assemble new implementation guides and do technical work to polish existing standards.  The HIT Standards Committee makes recommendations and evaluates standards implementation, but does not create implementation guides.

The S&I Framework Electronic Submission of Medical Documentation (ESMD) project supports the CMS vision for automating audit processes.

The S&I ESMD workgroup continues to work on the implementation guides which support the exchange of the relevant data from hospitalizations that would replace the paper-based audits of today.   I'm guessing they will choose the Consolidated CDA (CCDA) standard that was developed by consensus for transitions of care.

A single, template-based standard for communication of clinical details to clinicians and a replacement for paper-based CMS auditing processes.   ESMD and CCDA are definitely cool!

Thursday, February 16, 2012

Our Cancer Journey - Week 9

My travel in China was timed for Kathy's good days, the end of one chemotherapy cycle and the beginning of the next.   She's had a busy week, with a visit to her surgeon (check in after 6 weeks of chemotherapy), her last cycle of Adriamycin/Cytoxan, and continuing our farm search as new properties begin coming onto the market in the Spring.

As I mentioned last week, I knew that traveling would make me uneasy.   I made a commitment to friends and colleagues over a year ago.  Backing out would impact the plans of many people who had agreed to 5 days of meetings in Shanghai as part of an effort to share US lessons learned in care processes and technology.   With Kathy's consent and perfect timing, I did the trip.

Kathy's support system includes her father, several fellow cancer survivors, and our next door neighbor, who is a heme/onc nurse from Dana Farber with 35 years of experience.     Our next door neighbor was very interested in visiting old friends at BIDMC and volunteered to take Kathy to cycle 4 of chemotherapy tomorrow in my absence.

I'll return by Sunday night just as the effects of chemotherapy are beginning.

Kathy's doing well.  Before I left, her left breast was examined and the tumor that was very pronounced a few weeks ago, could no longer be found on palpation. It's clearly responding well to the chemotherapy.

We confirmed this week what we had expected, chemotherapy has induced chemical menopause.    Thus far, no hot flashes, mood changes, or sleep disturbances.

We're staying in touch by email.   I have a generous international roaming data plan while traveling.  Kathy's putting all her energy in the farm search, which is very therapeutic for both of us.

This will be my only overnight travel without her during chemotherapy.    She'll join me for my April keynote in San Francisco and a May keynote in Vancouver.   There are a few same day Washington and Chicago trips but those will not conflict with her treatments or her low energy days.

Care at a Distance is emotionally challenging - I want to be home and focused on Kathy.   Our emails, her support system, and a mutual shared project to create a life beyond a 5 year survival statistic give us both comfort that all will be well.

Wednesday, February 15, 2012

Dispatch from China

This week I'm in Shanghai meeting with government, academic, and industry experts to discuss the implementation of electronic health records, healthcare information exchange, and business intelligence applications supporting the care of 23 million people.

Our team of 4 (Dr. Mitch Rabkin, Mt. Auburn hospital CEO Jeanette Clough, Architect Martha Rothman and I) flew to China February 12-13, losing 24 hours because of the international date line and 18 hours of flying.   We're staying in the eastern area of Shanghai, called Pudong, home to the economic miracle of the past 20 years - more skyscrapers than any other municipality in the world.

On February 14, we visited Huashan Hospital, a major teaching affiliate of Fudan University Medical School.  We learned a great deal about leading practices in China, specifically in the areas of neurology, neurosurgery, and infectious disease.    Huashan leads the country in many ways, but not in IT, since it only invests .8% of its operating budget in clinical applications and infrastructure supporting the healthcare process.   It's at a HIMSS Level 1 adoption level, but very committed to accelerating its progress.   In the afternoon, we keynoted a conference of all the hospital CEOs in Shanghai at the International Convention Center, Yellow River Hall. We were introduced by Dr. Chen, former director, Shanghai Municipal Health Bureau, now head of the Shanghai Hospital Association and  Dr. Jianguang Xu, Director General of the Shanghai Municipal Health Bureau.  The audience was very receptive to our comments about process improvement, patient centered care, accountable care organizations, LEAN improvement projects, and the importance of IT as a tool to facilitate these activities.

On February 15, we visited clinics and hospitals to better understand the emerging plans and infrastructure supporting healthcare in Shanghai.

On February 16, we've traveling to Hangzhou to offer advice to a team building a new hospital.

On Friday and Saturday we're advising healthcare leaders from Hong Kong before flying back to the US.

Every country, culture, and society has its own approach to healthcare.  China currently spends 5% of its gross domestic product on healthcare compared to 17% in the US.   In some ways China has fewer policy and technology barriers than the US because there are no state laws - just a single set of federal guidelines covering privacy, healthcare delivery, and IT.   Shanghai mandated the use of a single electronic record across its public hospitals.   It has mandated common standards and processes for medication exchange across the community.  If Dr. Xu develops a strategy, all hospital CEOs will follow it.

I look forward to our continued work with Chinese healthcare leaders.  The quality, safety, and efficiency challenges in China are similar all over the world and the lessons learned from Meaningful Use and Healthcare Reform will assist China while also ensuring they avoid our mistakes.

Tuesday, February 14, 2012

The Perfect EHR

I support over 3000 clinicians in heterogeneous sites of care - solo practitioners, small offices, multi-specialty facilities, community hospitals, academic medical centers, and large group practices.

In every location there is some level of dissatisfaction with their EHR.   Complaints about usability, speed of documentation, training, performance, and personalization limitations are typical.   Most interesting is that users believe the grass will be greener by selecting another EHR.

I've heard from GE users who want Allscripts, eClinicalworks users who want Epic, Allscripts users who want AthenaHealth, and NextGen users who want eClinicalWorks.

The bottom line from every product I've used and everyone I've spoken with is that there is no current "perfect" EHR.   We're still very early in the EHR maturity lifecycle.

What is the perfect EHR?   I've written about my best thinking, which has been incorporated into the BIDMC home built record, webOMR.   (and has dissatisfied users too)

However, after listening to many "grass is greener" stories, I believe that what a provider perceives as a better EHR often represents trade offs in functionality.  One EHR may have better prescribing functionality while another has better letters, another is more integrated and another has better support.  The "best" EHRs, according to providers, varies by what is most important to that individual provider/practice, which may not be consistent with enterprise goals or the needs of an Accountable Care Organization.

My experience is that organizations which have given clinicians complete freedom of EHR choice now have an unintegrated melange of different products that make care standardization impossible.

My advice - pick an EHR for your enterprise that meets your strategic goals, providing the greatest good for the greatest number.   Apply a maximum effort to training, education, sharing of lessons learned, user engagement, and healthcare information exchange.

There will always be dissatisfaction and a claim that something is better.   However, I've never seen a change in product fix workflow and process issues.    BIDMC's strategy is to do our best  to ensure providers are educated and use their EHR optimally.   I do not believe that there is a better choice than our current mix of built and bought products that makes sense for our pioneer ACO and individual providers within the organization.

Monday, February 13, 2012

The Privacy & Security Mobile Device Project

Recently, ONC’s Office of the Chief Privacy Officer (OCPO), in collaboration with the HHS Office for Civil Rights (OCR), launched a Privacy & Security Mobile Device project.

The project goal is to better secure and protect health information on mobile devices (e.g., laptops, tablets, and smartphones). Building on the existing HHS HIPAA Security Rule - Remote Use Guidance, the project is designed to identify privacy and security best practices for devices that are are used outside healthcare facilities or not directly under IT department control.

The HHS Remote Use Guidance may not be familiar to clinicians and IT professionals.   It was issued on 12/28/2006 and includes specific recommendations for the use of Electronic Protected Health Information (EPHI) on mobile devices, specifically (1) the use of portable media/devices (such as USB flash drives) that store EPHI and (2) offsite access or transport of EPHI via laptops, smart phones, home computers or other non corporate equipment.

The report groups its recommendations into three areas: access, storage and transmission.


Username/password protection -  to reduce the risk of keystroke loggers or stolen passwords, it recommends two factor authentication - something that you know and something that you have.

Remote access - to minimize the risk of privacy breaches, it recommends role-based access control for remote data access in combination with policies which delineate who is authorized use remote access methods.

Unattended devices - to minimize the risk of privacy breaches by those who may find a lost or unattended device, it recommends timeouts on any software used to access EPHI

Malware -  to minimize the damage done by the increasing flood of malware on the internet, it recommends personal firewalls and appropriate use of up to date anti-virus tools


Theft risk mitigation - to reduce the risk of breach when a device is lost or stolen, it recommends encryption, biometric authentication methods, and strong mobile device storage policies

Lifecycle management - to reduce the risk of data loss when a mobile device is retired it recommends  deletion/physical destruction of devices

Data cached on non-owned device - to minimize the risk that data will be left on public computers used to access EPHI remotely, it recommends training, prohibition on downloading  files containing EPHI, and application software configurations that eliminate browser caching


Off network transmission - to minimize the risk of interception, it recommends that all data transmissions require SSL, TLS, or VPN in addition to policies requiring encryption of all data in motion between organizations.

These are guidelines, not regulations, but you can bet the next time CMS/OCR investigates a breach, they will ask if you have followed the published recommendations for  access, storage and transmission.  Thus, I highly recommend you read the HHS guidance and incorporate their suggestions into your overall security program.

Friday, February 10, 2012

Cool Technology of the Week

I recently did an interview about distracted doctoring for National Public Radio.  Typically, when I speak on Morning Edition or All Things Considered, I travel to our local  NPR affiliate (WBUR) and use their high fidelity dedicated ISDN lines in a soundproof booth.  

This time, I used my iPhone 4S.

How does it work?   I used a free application called Report IT Live which NPR has selected to capture interviews in the field via the high fidelity microphones built into the iPhone and a high digital sampling rate.

When the interview was complete, I uploaded the file securely to NPR servers.

Here's an overview of how it works in the field.

High fidelity radio interview recording on your iPhone with all the sound quality of a studio.  That's cool!

Thursday, February 9, 2012

Our Cancer Journey - Week 8

Kathy finished Cycle 3 of Adriamycin/Cytoxan, has weathered the most difficult treatment symptoms, had a positive rebound of her blood cell counts, and continued to receive an outpouring of support from the community.

Per the screen print above from BIDMC's web-based Online Medical Record, her neutrophil count increased from 3610 to 5660, ensuring she can fight infection.   Neutrophils are significantly affected by chemotherapeutic agents but Neulasta, a bone marrow stimulant, prevents cancer patients from the neutropenic nadirs that once caused multi-day hospitalizations requiring antibiotics.

Dr. Robin Schoenthaler, a Radiation Oncologist in the MGH Department of Radiation Oncology at Emerson Hospital and Director of Medical Education  at Emerson wrote to me with very helpful advice for husbands and families supporting breast cancer patients:
"I am a radiation oncologist at MGH specializing in the treatment of women with breast cancer and I have been following your blog (from which I heard about that very cool I-phone charger; thank you very much!) for some time.  My heart goes out to you and your wife.  I hope that things go as swimmingly as possible for you during and after the acute phase of treatment.

I have many many thoughts about what you have written; but yesterday's column which touched on the issues of 'causality' rang a real bell for me in three areas.

First off, it may interest you to know that, as far as I can find,  there are no good studies that absolutely link breast cancer (or any cancer) with stress.  Studies looking at extreme stress (eg war, famine, rape) have not shown a clear-cut link with the later development of cancers.  Studies looking at day-to-day stressors have been negative, and studies evaluating severe stressors (recent divorce, death of loved one) are extremely mixed -- some show perhaps a small link and some actually show that severe stressors are associated with a LOWER rate of breast cancer (eg the Women's Health Initiative).  This stuff is terribly hard to tease out so all we can say at the present time is that while there MAY be a link, and although there are hypothetical reasons to be concerned about a link, thus far many good studies do NOT show an absolute connection between being under stress and then getting breast cancer.

This may well be because 'cancer' is such a heterogenous disease, and it may also be related to the fact that cancers grow at such different rates, so that it's nearly impossible to say that a defined 'stressor' (and who can say exactly what stress is -- for some people it's their mother-in-law!) is linked to a very slow-growing breast cancer (or a fast one) or a lightning-fast lymphoma.  It's just too hard to connect the dots.

The second idea I would like to convey to you is that your search for a cause -- wondering if it's paints, or stress, or radicals (or for other women: fertility treatments, or living under power lines, or pesticides) is a specifically AMERICAN response to disease, or more fundamentally, why bad things happen to good people.  If you and your wife lived in India, you would probably think this disease occured because of something harmful you did in a past life prior to this reincarnation (karma, etc).  If you lived in Mexico, you might well think your wife was bound to suffer this way so she could offer it up and then sit at the right hand of Mary in heaven.

But here in America, we always, always, think it's something we did.  We think we are the cause.  We ALWAYS think we are the cause, and if only we had done x or y or z maybe this wouldn't have happened.  We like to think we are in control, us Americans (especially the engineers and computer people amongst us, despite the fact Mother Nature that is constantly showing us who rules.

I do think this is an important thing to think about -- maybe it wasn't environmental, maybe it had nothing to do with behavior, maybe it was just stone cold bad luck.  I think it changes the way one approaches disease sometimes and I offer it to you as a possibility.

The third thing I want to say to you is that you are really being a model Husband/Caretaker, and my hat is off to you and to all such wonderful men.  I call men like you 'Purse Holders' and in fact I wrote an essay in the Globe about them a couple of years ago.  If you care to read it you can find it here.

I send you my very best regards and wishes, and if you would like to further discuss these or any other breast-cancer-related issues or questions, please consider me your go-to person."

Thanks Robin, your support is much appreciated.  And you're right, since treating breast cancer is a partnership, all aspects of treatment including the driving, the listening, and the purse carrying are a shared responsibility.

On Sunday, I must fly to China to fulfill a promise I made a year ago to assist with healthcare IT design in Shanghai and Hong Kong.   My absence is timed for those treatment days when Kathy is at her best and her energy has returned.   I'll be back before the symptoms of Cycle 4 begin.    I'll write my post next week during the first time we've been apart overnight since her diagnosis in December.   As we travel the treatment path together, the experience of caring for Kathy long distance will bring new emotions.

Wednesday, February 8, 2012

Two Factor Authentication

I've previously written about innovative approaches to strong identity management which we're investigating.

SAFE-BioPharma has implemented a thoughtful two factor authentication solution that leverages mobile devices and is provisionally certified as a trust framework provider for NIST level of assurance 2 and 3 by the General Service's Administration FICAM program. Their solution is cross certified with the Federal Bridge Certificate authority.  Thus, their credentials are trusted in both the Public Key Infrastructure (PKI) and non-PKI sectors for authentication to any Federal application or infrastructure.

Here's how credentials are issued per Richard Furr, Head of Global Regulatory Affairs, Policy and  Compliance, SAFE-BioPharma Association:

The applicant is nominated for a credential by a sponsoring SAFE-BioPharma member.  It is important to note here that SAFE-BioPharma is a member driven non-profit association and only members of the association can nominate applicants for credentials.  Applicants must be employees or business partners of that member. Membership in SAFE-BioPharma is limited to entities that operate in the biopharmaceutical or healthcare delivery sectors.

The nomination is made on-line by a specially trained member of the member staff who enters specific data, I.e, at least name and business e-mail address, into the registration authority system (UIS) that Verizon Business operates as a contracted infrastructure provider for SAFE-BioPharma.

The UIS generates an email to the applicant address which contains a link to the UIS and a one time password to allow the applicant to access the UIS.

The applicant completes a user profile including other information, e.g., address, telephone, last 4 digits of their social security number, date of birth, medical license number if they have one, that the UIS uses to build out their identity.

Based on the data entered by the applicant the UIS develops their identity and through a contracted data source (LexisNexis) the applicant is presented with five multiple questions to which only they should know the correct answers.  The applicant has 2 minutes to answer 4 of the 5 questions correctly.  If they fail the first time they are presented another 5 questions.  If they answer 4 correctly their identity is confirmed and they can complete the registration process.  If they fail a second time they are rolled over to a manual notary process.

Once the identity is confirmed, the applicant creates an account with the UIS Identity Broker by creating a strong user name and password according to the parameters of the system.  Then, the applicant registers one or more devices that are capable of receiving a cryptographically generated one-time password, e.g., smartphone (Android or iPhone), SMS capable cell phone, iPad, other mobile tablet, landline phone capable of receiving interactive voice response, other token (RSA, OAuth, etc,) or other types of devices that can receive the One Time Password (OTP) .

Upon completion of these steps the system also generates an X.509 certificate that is downloaded to a cloud-based FIPS 140-2, level 3 certified hardware security module.  This certificate is the applicant's digital signing certificate.  It can be accessed using the 2-factor non-PKI credential that was just generated.  Upon completion of these steps the applicant digitally signs their Subscriber agreement and is ready to go.  The entire process takes about 10 minutes. It is also important to note that the last 4 of the social security number and date of birth are deleted after the initial registration process so they are never kept in the system.

Here's how actual authentication works:

1.  The use accesses an application or portal via the internet.
2.  The accessed application or portal displays a login dialog that asks for the  user name and password.
3.  The user enters their user name and password and selects the pre-registered device to which they wish their OTP to be sent.  This is the first factor of the 2-factor authentication – something the user knows.  The app or portal also generates a SAML2 request to the identity broker.
4.  The identity broker verifies that the Account is valid and uses a cryptographic algorithm to generate the OTP and send it to the selected device.
5.  The app/portal displays a dialog for the user to enter their OTP.  The user has 5 minutes to enter the OTP.  When they do, the identity broker verifies the OTP as being the one that was generated and this completes the second factor – something the user has – in this case the pre-registered device that received the OTP. Based on this successful completion, the identity broker generates a SAML2 response to the app/portal verifying the identity.

If the user needs to digitally sign a document, such as an e-prescription, they can do so using this same process to authenticate to their X.509 certificate in the cloud.  It appears that the DEA will accept this process as part of the final rule for e-prescribing controlled substances.

Since the credentials are FICAM certified, it seems reasonable that such an approach meets all compliance criteria that require strong authentication for securing protected healthcare information.

Tuesday, February 7, 2012

Attesting to Meaningful Use Quality Measures

I was recently asked how eligible professionals should report the Meaningful Use Clinical Quality Measures if there are zero denominators (i.e. you do not have any hypertensives, adults, or patients with 2 or more visits in the measurement period)

Here's the answer as I understand the regulations and FAQs:

1.  Report on the 3 Core measures if you can, which include
*Hypertension: Blood Pressure Measurement
*Tobacco Use Assessment and Tobacco Cessation Intervention
*Adult Weight Screening and Follow-up

2.  If any of the 3 Core measures has a zero denominator, replace them one-for-one with one of the 3 alternate core measures.   If you can’t get to 3 non-zero denominators between the core and alternate core, report on all 6 (even if it means that you have to report 6 zero denominators)
*Weight Assessment and Counseling for Children and Adolescents
*Preventive Care and Screening: Influenza Immunization for Patients ≥ 50 Years Old
*Childhood Immunization Status

3.  Regardless of the above, you MUST report on 3 of the remaining 38 Additional Set measures.  If you are reporting any zero denominators from these Additional Set measures, you must attest that you have no other non-zero denominator measures.  Essentially, you have to confirm that you’re not running away from non-zero denominator measures.

In summary, the minimal requirement is for 6 measures (3 core or alternate core, 3 additional set).  You may have to report up to 9 measures if there are zero denominators involved.  If you can’t find 3 non-zero denominators among the core and alternate core, you have to report on all 6 (even if it means that you’re reporting 6 zero denominators).  In addition, you still have to report on 3 from the remaining 38 additional set measures.  If any of these 3 additional set measures is a zero denominator, you must confirm that you don’t have a non-zero denominator for any of the remaining 35 that you’re not reporting on.
Micky Tripathi posted a blog about this last summer that provides additional detail.

You'll find the FAQs that address the Clinical Quality Measures here.

Monday, February 6, 2012

The Perfect Storm for Innovation

In my career, there have been a few perfect storms, defined as "a confluence, resulting in an event of unusual magnitude".

When I was an undergraduate at Stanford University in 1980, two geeky guys named Jobs and Wozniak dropped by the Homebrew Computer Club to demonstrate a kit designed in their garage.   IBM introduced the Personal Computer and MSDOS 1.0.   I purchased an early copy of Microsoft Basic and began creating software in my dorm room including early versions of tax calculation software, an econometric modeling language, and electronic data interchange tools.   Every day brought a new opportunity. The energies of hundreds of entrepreneurs created an industry in a few intensely creative months that laid the foundation for the architecture and tools still in use today.   A guy named Gates offered me a job and I decided to stay in school instead.

In 2001 when I was first hired at Harvard, a visionary Dean for Medical Education, a supportive Dean of the Medical School,  talented new development staff, and a sleepless MD/Phd student came together to create one of the first Learning Management Systems in the country, Mycourses.   Robust web technologies, voice recognition, search engines, early mobile devices, and new multi-media streaming standards coincided with resources, strong governance, and a sense of urgency.  Magic happened and in a matter of months, an entire platform was created that is still powering the medical school today.

At BIDMC in 2010, IS Clinical Systems staff and key operational leaders realized that Meaningful Use Stage 1 was within reach if we temporarily put aside other work and focused our energy, creativity, and enthusiasm on rapid innovation, process change, and education.   In a few weeks we became the first hospital in the country to certify our EHR applications - inpatient and ambulatory.    We became the first hospital to achieve Meaningful Use.  More than 70% of our eligible professionals have surpassed meaningful use performance thresholds.   We had no budget, no dedicated resources, and nothing but strength of will to make it happen.   It was one of our finest hours.

In 2011, the Massachusetts public sector (Secretary of EOHHS, CIO of EOHHS), private sector healthcare leaders, and healthcare IT experts had a bold idea - create a public utility that links together all the existing regional health information exchanges, public health, small clinician offices, payers, and patients using modular components procured and initially operated by state government.   We aligned forces and in a few weeks created budgets, project plans, a new State Medicaid Health Plan, and a guiding coalition of stakeholders.    Political, organizational, and technical barriers were broken down and unbridled optimism rekindled our health information exchange momentum.    2012 will be a transformative year in the Commonwealth, truly a perfect storm.

My advice - look for the perfect storms in your own life.  Minimize your distractions, cancel unnecessary meetings, and put aside those tasks that don't add value.   Take a risk and dive head first into the possibility of creating greatness.   I've seen opportunity come and go in my life.   No one remembers the mundane.  No one forgets the events of unusual magnitude.

Recently, I updated my BIDMC job description to include fostering healthcare information exchange among affiliates, accountable care organizations, and the community.   The Massachusetts Health Information Exchange is the next perfect storm in my career and I will devote all of my energies to the confluence being created by EOHHS CIO Manu Tandon, Massachusetts eHealth Collaborative CEO Micky Tripathi, and the dozens of volunteers lending the wisdom to the process.

Friday, February 3, 2012

Cool Technology of the Week

I recently wrote about the explosion of business spam.

One of my blog commenters introduced me to which provides a free, timesaving, easy to use unsubscribe utility.

Numerous times a day, I click on an email scroll to the unsubscribe area, have to figure out the proprietary unsubscribe functionality of the business spammer, retype my email address, and hope it works since unsubscribe sites are generally slow and unreliable.

With, I just download a plug in for my email client (apple mail), and simply click on the unsubscribe icon whenever unwanted email appears in my inbox.   The unsubscribe servers use natural language processing to figure out the unsubscribe methodology and send the unsubscribe request.

It has easily saved me 15 minutes a day.

Of course the ultimate answer would be for advertisers to act more ethically.   I had a great conversation with Dave Smith, Compliance Officer for Constant Contact about their efforts to enforce email advertising best practices.    A few items

1.  They ask their clients to certify pre-existing business relationships or opt-in before sending email.   Some clients do not follow this policy guidance the Constant Contact compliance team does their best to identify and stop abuses by their customers.

2.  They created "Safe Unsubscribe" to make it easier for recipients to remove themselves from mailing lists.   It really works - Safe Unsubscribe does actually stop the flow of advertising.

3.  They will honor a  global "do not call" designation for all email newsletters if such a request is made to the compliance department.

My wife uses Constant Contact for her NKG Art Gallery Newsletter, so I'm not opting out of all communications just yet.   Only a small portion of my business spam comes from advertisers using Constant Contact - a tribute to their ethical marketing compliance efforts.

A utility to automatically unsubscribe and a company using a compliance team to reduce unwanted email.    That's cool!

Thursday, February 2, 2012

Our Cancer Journey - Week 7

Tomorrow we begin the third cycle of Cytoxan/Adriamycin.   In the journey thus far, Kathy has had good days and bad days.   High energy and low energy days.    Meal days and BRAT (Bananas, Rice, Apples, Toast) days.    We frequently discuss the factors that put Kathy at risk for cancer at this point in her life.   We talk a lot about the future.

Kathy's typical pattern is

Friday - Chemotherapy infusion day, good energy, good appetite, some jitters from the steroids
Saturday - Good energy, good appetite, some jitters from the steroids
Sunday - Waning energy, moderate appetite, bone pain
Monday - No energy, moderate appetite, extra sleep needed, bone pain, bland diet
Tuesday - Low energy, extra sleep needed, bone pain, bland diet
Wednesday - Low energy, bland diet, extra rest needed
Thursday - Moderate energy, bland diet
Friday - Moderate energy, stomach pain, bland diet
Saturday - Moderate energy, stomach pain, bland diet
Sunday - Moderate energy, stomach pain, bland diet
Monday - Good energy, moderate appetite
Tuesday - Good energy, good appetite
Wednesday - Good energy, good appetite
Thursday  - Good energy, good appetite

What environmental risks caused the cancer at this point in her life?  Exposure to the cadmium and other heavy metal pigments in her traditional oil paints? Pesticides in the environment? Bisphenol in cans? Free radicals?

We've talked about psychoneuroimmunology, the impact of mood and outlook on the ability to combat disease.

The past two years have been challenging for Kathy - helping our daughter grow from high school to college, transitioning to an empty nest, creating an art gallery business in a challenging economy, sharing the stresses of my Federal/State/local work (especially Meaningful Use for several hospitals and 2000 doctors), and supporting the health needs of our parents.

Although they past few years have been stressful, all the events are consistent with our expectation for this stage of life.

One event in the past year was a bit out of the ordinary.  A 19 year old with a very poor driving record (4 points on his license, 1 high speed collision, 1 hit and run etc.) drove down the wrong side of the road around a line of traffic and hit Kathy's car as she was exiting a parking lot.   It was very clear from the position of the impact that it was caused by a driver violating the law.

Kathy filed an insurance claim and provided all the details of the accident.

The 19 year old driver lied about what happened.

Our insurance company decided Kathy was at fault, gave her a point on her driving record, and added a multi-year surcharge to her insurance.

When Kathy pursued the issue, noting that the 19 year old with the poor driving record was lying, the insurance company told her that without a photograph of the accident or an independent witness who was willing to verify the events, they would have to believe the 19 year old because Kathy was exiting a parking lot and that makes her at least 51% responsible.  Despite Kathy's over 30 year good driving record, the insurance company representative literally ended the conversation with the statement "Life isn't fair".

That episode temporarily caused Kathy to lose her faith in humanity and gave her a sense of helplessness in a hostile world.

As with any conflict or issue, for everything there is a process.

Kathy appealed the ruling to the Massachusetts Board of Insurance and wrote an eloquent letter stating the facts.

Today the Board of Insurance ruled she was not at fault, rescinded the point on her license, and demanded that the insurance company refund/rescind the surcharge.  She cried when she opened the letter. The nice guy can still finish first.

This weekend we'll continue our search for local farmland by touring Harvard, Massachusetts with locals recommended by our next door neighbor.  The cancer diagnosis constrains our possibilities but has not dulled our enthusiasm for a long and fulfilling future.

Wednesday, February 1, 2012

Provider Directories and Public Key Infrastructure for HIE

As Massachusetts prepares a Request for Response (RFR)  to procure healthcare information exchange infrastructure and applications,  many stakeholders have been hard at work documenting requirements.

The Provider Directory and Public Key infrastructure are some of the hardest specifications to write since they have not yet been widely deployed for healthcare information exchange anywhere in the country.

The leaders of the Massachusetts HIE effort have held 3 major vendor and user forums over the past month and have been told that no vendor has a standards-based provider directory in production at any customer site.

Here's our best thinking about Provider Directory and Public Key infrastructure services.

Provider Directory
The Directory will have a schema within a relational database that enables lookup of entities, which could include a person (John Halamka),  an organization (BIDMC), a department (The BIDMC Department of Emergency Medicine), a state entity (Massachusetts Department of Public Health),   a payer (Blue Cross Blue Shield of Massachusetts), a vendor (The Massachusetts eHealth Collaborative Quality Data Center), or a PHR infrastructure trusted by the HIE (Microsoft Healthvault).     There will be two ways to query this database - Lightweight Directory Access Protocol (LDAP) for  use within the Massachusetts state government firewall and SOAP-based web service APIs for all users external to the firewall.   The response to a query will include the node name for communication to the entity i.e. John Halamka will not have a node, but the BIDMC Department of Emergency Medicine or BIDMC could.   Digital certificates are not stored in the Provider Directory.

Public Key Infrastructure
Certificates will be issued by a single Certificate Authority and will be stored in one of many Domain Naming System (DNS) services capable of supporting certificate queries such as BIND or Microsoft's special implementation of DNS created for the Direct Project (    For example, BIDMC could offer a DNS service called which hosts the public keys for all our nodes.

Here's how it would be used.  An EHR would look up an entity in the Provider Directory and then use DNS services to retrieve the certificate for the entity's node.

We're also considering an alternative approach using the open source tools available in the Direct Project's Reference Implementation.   These tools include administrative tools to store and manage certificates and an adapter that links the directory store to a DNS responder.    Participants could upload their certificates to this centralized data store.  For example:

DNS Responder <--DNS Web Services--> Direct Reference Implementation Web Services <--BIDMC adaptor--> BIDMC datastore

The vendor community has told us that they want a single simple directory and public key infrastructure specification they can implement one time for an entire state.   We'll give that to them and I'll write about their responses in future posts.