Consortium News

  • 08 Jun 2015 3:27 PM | Anonymous

    Aims for one file per person, fewer errors

    By Priyanka Dayal McCluskey GLOBE STAFF  JUNE 01, 2015

    After two years as an intensive care nurse at Brigham and Women’s Hospital, Aqua Bang will no longer need to carry a pen and binder to record the vital signs of her patients. Instead, that information will instantly flow from bedside monitors to each patient’s computerized health record, part of a massive information technology system launched over the weekend by Partners HealthCare.

    The new system will eventually house millions of patient records across a network of 10 hospitals and 6,000 doctors. It comes with a $1.2 billion price tag, the single biggest investment Partners has ever made — nearly twice what it cost to build the massive Lunder Building at Massachusetts General Hospital in 2011.

    While it’s a big shift for employees, the new system will initially change little about what patients experience at the hospital. Eventually, however, it will allow patients better online access to their medical information. And it has the potential to reduce medical errors. Instead of a separate record at every Partners facility, a patient will have one record throughout the Partners system, so information is more readily shared among doctors.

    The investment is part of a gamble by Partners and the US health care system that spending vast amounts on information technology will pay off in better health care at lower costs. Hospitals across the country are investing billions of dollars in electronic medical records systems, pushed by the Obama administration and insurers, which are adopting payment systems that require careful coordination of medical services.

    The costs of the technology upgrades will eventually get passed on to consumers through health insurance premiums, and to taxpayers, who subsidize Medicare and Medicaid, the government health care programs for the elderly and poor, said Dr. Paul Hattis, a professor at Tufts University School of Medicine and member of the state’s Health Policy Commission, which monitors medical costs.

    “We will ultimately all pay for it,” Hattis said. “Will we get dividends back in terms of better care and greater efficiencies? We don’t know yet.”

    Eventually, the new system will allow patients better online access to their own medical information.

    Other Massachusetts hospitals have recently adopted similar systems, although Partners’ is far bigger, given the network’s greater size.

    Partners’ new technology will replace a patchwork of dozens of software programs used by different hospitals, departments, and clinics in the Partners network. The potpourri of software has made it difficult for doctors in one Partners facility to consult information about their patients’ visits to other Partners facilities. Even critical information like allergies to medications can be easy to miss.

    Partners officials promise the new system will give doctors, nurses, and clinical staff anywhere in the network easy access to the most up-to-date information about patients.

    Partners also is building a Web portal to allow patients to check their medical information, schedule appointments, and interact with caregivers in ways, such as through questionnaires, that weren’t possible with older systems.

    “It’s right for people to think, ‘Is this the way we should spend our health care dollars?’?” said Dr. Gregg S. Meyer, chief clinical officer at Partners.

    The launch this weekend, which hospital officials dubbed “the big bang,” included the Brigham, Partners’ Faulkner Hospital campus, its clinical partner, Dana-Farber Cancer Institute, and Partners’ home care division. The new technology will be rolled out to the rest of the Partners network, the state’s largest, through 2017. It is scheduled to be launched at Massachusetts General Hospital next April.

    The system, developed by Epic Systems Corp. of Verona, Wis., has been three years in the making. It has grown in scope to cost double the initial estimate of $600 million. Partners hired 600 new employees and hundreds of consultants to work with Epic to build the system and then train thousands of doctors, nurses, physician assistants, and other workers to use it.

    “At the core of all of this is patient safety,” said Dr. Ron M. Walls, the Brigham’s chief operating officer.

    The system, which has been dubbed Partners eCare, will send doctors alerts when a patient needs an immunization, a colonoscopy, or a test. It also will allow doctors to more easily analyze patient data.

    Dana-Farber, for example, can start monitoring how patients respond to a certain chemotherapy drug to help determine who should receive that drug in the future.

    Developing the system also included building firewalls and other security features to protect data from cybercriminals hunting for private information, Partners officials said.

    Dana-Farber and the Brigham beefed up staff over the weekend to help clinicians navigating the system for the first time. More than 1,500 extra staff were on hand, including doctors, nurses, technology specialists, and a variety of temporary workers.

    About 450 software specialists spent the weekend at computer screens in a sprawling makeshift command center at Dana-Farber, fielding a steady stream of calls from employees running into problems. Most of the issues were minor and expected, including problems logging into workstations and printing documents, hospital officials said.

    Bang struggled a bit to find her way through the system as she grappled with the small issues of learning new software, such as finding the right buttons to click. When she got confused, she flagged down one of the support staff patrolling her unit.

    “This morning I felt a little disconnected,” she said, “but I think when I get used to it, it’ll become second nature.”

    The Brigham, anticipating that staff will need time to get used to the system, reduced the number of patient appointments for the next several days, a change that will cost the hospital about $15 million in lost revenue.

    Lahey Health of Burlington is spending $160 million to install its new Epic health records system, launched in March. Boston Medical Center has also installed Epic, at a cost of $100 million, moving patients to the new system over the past year. Both BMC and Lahey are much smaller than Partners.

    Another Boston health system, Beth Israel Deaconess Medical Center, has opted not to buy a single health records management system for its network. Instead, it created a function that allows different systems to share information with the click of what the chief information officer, Dr. John D. Halamka, calls the “magic button.” That approach is far less expensive, he said, noting, “We have been able to do it with the budget we have.”

  • 08 Jun 2015 1:33 PM | Anonymous

    Retrieved from
    Bob Herman with Virgil Dickson   |   June 4, 2015

    More flexibility is coming for Medicare accountable care organizations under a final rule the CMS published Thursday (PDF). The revisions are intended to strike a balance between maintaining the program's rigor and making sure providers continue to participate. 

    The Medicare Shared Savings Program will offer a new track to take on more financial risk of patient care, and it will allow Medicare ACOs to avoid penalties beyond the initial three-year term. The CMS will also issue future guidance on benchmarking and rebasing issues that have been sources of contention for many providers.

    The Affordable Care Act catalyzed the creation of Medicare ACOs, which are networks of hospitals and physicians that aim to improve the quality and lower the cost of care for Medicare beneficiaries in a defined area. More than 400 ACOs participate in Medicare accountable care contracts, and they care for more than 7 million beneficiaries.

    The CMS received 275 comments from concerned stakeholders, and the agency expects 90% of Medicare Shared Savings ACOs will stay with the program because of the rule changes. 

    Hospitals and physicians have been able to choose between two tracks for shared savings for ACOs, and the CMS is finalizing the third option it proposed in December. The third track is “very much modeled” after the Pioneer ACO, CMS Deputy Administrator Sean Cavanaugh said. And it also shares many similarities with the Next Generation ACO model that the CMS proposed in March.

    Providers opting into track three will take on more financial risk, but could also share in potentially higher savings. The CMS said upside and downside risk for this model will be 75%—meaning an ACO's bonus or penalty would be 75% of its savings or loss— just as it proposed in December. ACOs in track three are also given a fixed population of beneficiaries to care for.

    Cavanaugh said a number of healthcare organizations around the country “will find this attractive.” But it's more important for the agency to offer a variety of options that meet a provider's tolerance for taking on financial risk and maintaining high quality, he said.

    The first track of Shared Savings ACOs, considered the safest, originally called for providers to receive rewards for hitting cost and quality targets for three years. Thereafter, they would be responsible for both rewards and penalties, called two-sided risk. However, the CMS finalized its earlier proposal, allowing ACOs to enter another three-year period in which they can avoid financial penalties. 

    Allowing no risk, “is a very strong message from CMS and the administration that they are committed to the long-term viability of the program,” said Jeffrey Spight, president of Collaborative Health Systems (CHS), a division of health insurer Universal American that operates about two dozen ACOs with Medicare shared savings contracts. Universal American previously had an even bigger presence in the program but dropped out of them in several markets. 

    The ACOs must be “in good standing with the program” and have high quality scores for beneficiaries. The CMS emphasized that two-sided risk is the future of the program despite this extension.

    “There's a reality that shifting from fee-for-service to accountable-care models takes time,” said Dr. Patrick Conway, the CMS' chief medical officer. “That is a long-term transition and can certainly take more than three years. We're really trying to meet providers where they are.”

    Later this year in a separate rule, the CMS also will readjust its methodology for what it calls benchmarking and rebasing. Several ACOs, particularly Pioneers, have said they faced significant penalties even though they had high quality scores and saved Medicare money. Regional payment differences and historically low Medicare per-beneficiary costs have not given them much room to share in savings.

    A newer methodology would account for regional trends and future savings “rather than solely ACOs' own recent spending,” the CMS said.

    The CMS made it clear in the rule that the ACO program is a separate, distinct option from traditional fee-for-service Medicare and the capitated Medicare Advantage program even though ACOs incorporate elements of both. Unlike Medicare Advantage, people enrolled in a Medicare ACO still have their full traditional Medicare benefits and can see any Medicare provider, not just those within the ACO.

    “While we frequently relied on our experience in other Medicare programs, including Medicare Advantage, to help develop program requirements and design elements for the Shared Savings Program … the intent of this program is not to recreate or replace Medicare Advantage,” the CMS said.

    HHS Secretary Sylvia Mathews Burwell set a goal in January to tie 30% of all traditional Medicare payments to alternative payment models such as ACOs and bundled payments by the end of 2016. That goal increases to 50% by the end of 2018. Adjusting ACO rules to be more accommodating to providers was viewed as necessary to the government's plan.

    “ACOs are a critical part of meeting those alternative payment model goals, and we think this rule further lays the groundwork so that we'll be able to reach those goals,” Conway said.

  • 08 Jun 2015 1:04 PM | Anonymous

    Boston Business Journal   |   Jun 4, 2015   |   Jessica Bartlett

    UMass Memorial Health Care and CareWell Urgent Care hope to integrate further beyond an affiliation, CEOs from both companies said today.

    The multi-site health system and the urgent care clinic announced their affiliation on Thursday, with plans to develop three integrated CareWell locations in Worcester and Northborough.

    But beyond Carewell using UMass staff and sharing the medical information of its patients with the health system, the two institutions hope to financially link the organizations in the future.

    “We are working on the partnership and what it look like in the long term,” said UMass Memorial CEO Dr. Eric Dickson in an interview. “The strong affiliation exists as the starting point, and will likely grow into something more concrete. I think that a tighter financial link in the future is definitely possible between us.”

    According to Shaun Ginter, president and CEO of CareWell, it’s a mutual goal. In the short-term, CareWell will pay for the expansion into three locations, two of which in Worcester are expected to open on July 15.

    The expansion is part of larger plans for both organizations. CareWell is also adding a second location in Cambridge in addition to the three through the UMass affiliation, bringing the total number of locations in the state from nine to 13.

    The organization hopes to open another two to three locations this year, and said that it is constantly talking with other health systems about affiliations. CareWell also has an affiliation with Lahey Health.

    “Proper affiliations for urgent care can help coordinate care and help integrate with the local community,” Ginter said.

    For UMass Memorial, the plan is part of a larger mission by the organization to develop a broader range of services for its patients.

    The health system has been looking for ways to offer broader access to care at lower price points, as health systems move away from getting paid for each service rendered, and more to being paid on a budgeted basis for each patient.

    In addition to allowing UMass doctors not to duplicate X-rays and other diagnostics when seeing patients for follow up care, the integration will also allow primary care doctors to refer patients to an urgent care center, rather than to an expensive emergency room.

    “We have to be thinking like we’re managing the health of the population and the total cost (of each patient),” Dickson said. “It might take some ER volume and move it to a lower cost setting. In the past, that would be financially bad. But the future of medicine, being able to do that, (is) financially good. It might not be that way today for us, but we’re looking to the future as we’ll be taking on more risk.”

    UMass is also looking to create an ambulatory surgery center to do outpatient surgeries outside of the big hospital.

    "This is one piece of a bigger extension of services that are planned, so that we can meet all of the needs of our patients," Dickson said.

  • 03 Jun 2015 3:58 PM | Anonymous

    Agency also moves from annual to quarterly update of data, Acting Administrator Andy Slavitt announces at Health Datapalooza

    from   |   June 3, 2015   |   By Katie Dvorak

    The Centers for Medicare & Medicaid Services is opening up its data stores to innovators to help them create tools for the commercial marketplace, Andy Slavitt, acting administrator for the agency, said Tuesday morning at Health Datapalooza. CMS is starting to use information to improve the care delivery system, but "needs your help," Slavitt said to the audience at the annual event in the District of Columbia.

    "While this is a big departure, we do this with a clear expectation that you will create a new stream of tools that will improve care and personalize decision-making," he said. "We're allowing companies to combine CMS data with other data, so even what were small silos of data can have enough credibility" to be of use.

    The Medicare claims data will be stripped of patient, but not provider, identifiers. In addition to opening the data, which was previously only available to researchers, Slavitt said the agency will move from an annual to a quarterly update of its data for researchers and innovators. CMS also will require certain data submitted to the agency for use by consumers to arrive in machine-readable format, he said.

    As long as innovators and entrepreneurs are willing to go through the process of having their work designated as HIPAA-approved research, they will have virtual access to granular CMS claims data in the CMS Virtual Research Data Center, Niall Brennan, chief data officer for CMS, added during a panel later in the day.

    "That is really cool; you're not limited in how you use the results or integrate them into your tool," he said.

    Slavitt said as innovators create new business models and determine priorities, areas they should considering focusing on include:

    Making healthcare the most private and secure data in any industry 

    Creating products and services that help take care of the country's sickest and most difficult to treat patients

    Giving doctors and nurses what they want and need the most, including more time with patients

    In keeping with its shift to greater transparency of data, the agency also just released information on Medicare reimbursements. The data shows that Medicare reimbursements to doctors are far from evenly distributed, while hospital charges for top procedures and conditions have increased moderately

  • 03 Jun 2015 3:53 PM | Anonymous

    from  |  June 2, 2015 by Gabriel Perna

    McKesson, the large San Francisco-based healthcare technology vendor, announced this week it is getting out of the care management software business.

    The company sold its McKesson Care Management business to Comvest Partners, a West Palm Beach, Fla.-based private investment firm, for an undisclosed amount. Comvest is planning on renaming the business, AxisPoint Health. The company, which has a care management software platform, will have its headquarters in Westminster, Colo., where it was previously located under McKesson. 

    For McKesson, selling off its care management is a chance to focus on its "core strengths," according to prepared comments from Jeff Felton, president, McKesson Connected Care & Analytics. The company recently announced its quarterly earnings, where most of its divisions did well. The one exception was health IT, where revenues fell 10 percent for the quarter and 8 percent year-over-year. Approximately 900 employees at McKesson were affected and are now employed by AxisPoint Health, of which approximately 700 are nurses and other clinical professionals.

    Comvest said it plans to invest in AxisPoint Health. Mosaic Health Solutions, a healthcare technology investor based in Durham, N.C., is on the deal with Comvest.

    “In the new era of value-based health care, the entire industry is reorienting around achieving the best outcomes by identifying the most appropriate levels of care,” Roger Marrero, Partner at Comvest Partners, said in a statement. “We believe that AxisPoint Health starts out with deep experience and capabilities in the market for connecting members to the right care in the most cost-effective way.” 

  • 03 Jun 2015 3:48 PM | Anonymous

    Of the 23,138 claims filed, 20,306 were accepted, though most of the rejections were caused by issues not related to ICD-10. 

    retrieved from
    Henry Powderly, Managing Editor

    More than 88 percent of ICD-10 claims filed during the latest round of Centers for Medicare and Medicaid Services end-to-end testing passed, the federal agency said, with only 2 percent of rejections coming as a result of ICD-10 coding errors in the claims.

    CMS said 875 Medicare Administrative Contractors participated in the testing from April 27 through May 1, showing a higher success rate than the previous testing session in January.

    The ICD-10 diagnostic coding vocabulary is expected to go live on Oct. 1. It contains nearly 70,000 codes, a major jump from the 14,000 codes in the current ICD-9 set.

    Advocates say ICD-10 offers providers a way to be more detailed and targeted with their diagnosis records, which improves the overall health records that follow patients across their various healthcare providers.

    While most of the world’s healthcare systems are already using ICD-10, the United States is unique in that its diagnostic codes are also used in reimbursement claims. That's what has ICD-10 opponents worried. In the worst case, coding errors can cause claims to be held or not paid, which strains on providers’ finances.

    CMS said its latest round of testing suggests most providers are ready, though.

    Of the 23,138 claims filed to its Common Electronic Data Interchange, 20,306 were accepted. Also, most of the rejections were caused by issues not related to ICD-10.

    This round’s 88 percent acceptance was higher than its last round of testing in January, when 81 percent of claims went through.

    CMS will hold another round of testing in July.

  • 03 Jun 2015 3:18 PM | Anonymous

    retrieved Jun 3, 2015   |   Boston Business Journal   |   Jessica Bartlett 

    Blue Cross Blue Shield of Massachusetts has found a new way of innovating in health care: partner with fledgling startups.

    The state’s largest insurer has been investing in startups for the last two years through its investment arm Zaffre Investments, partnering with companies that can provide new services to its members.

    But lately the insurer is going one step further, discussing with fledgling companies what needs to be created to better the health care system, and acting as an accelerator program to more closely foster innovation.

    “As we were thinking about our new location here (at 101 Huntington Ave.) and what could we do differently to be that convener, it struck us as an opportunity,” said Jason Robart, president and CEO of Zaffre.

    The innovation hub concept has so far materialized into a competition through startup connector Elevar, bringing 150 companies to the insurer to help develop solutions. The insurer wanted companies to solve one of three problems: engaging with millennials, engaging with baby boomers, and engaging with communities around health.

    “In almost all cases, they were companies that had a product or idea already,” Robart said. “It was a great example of a two-way street of innovation. These were some smart folks with great ideas. We were able to give them the payer’s perspective and with a few tweaks, it might address a different problem.”

    The companies were since narrowed down to three. Zaffre is in the final stages of putting in place a pilot program with one of the companies focused on engaging baby boomers and seniors.

    The process is helping Blue Cross have a hand in the innovations being developed from the ground up, as well as continuing to diversify Blue Cross Blue Shield of Massachusetts’ business – the insurer typically takes an equity stake in exchange for funding.

    Already Zaffre has invested over $10 million in a variety of companies, including Ovuline, a fertility and pregnancy app that helps the insurer better connect to its members using the app, and InformDNA, which acts as a counselor to patients and to insurers to make genetic testing more streamlined and efficient.

    “We realized that as we think about how the market is evolving, the opportunity for us to get closer to where innovation is happening in the market was going to be critically important, particularly as we thought about things like consumer engagement, and … how do we start to think differently about individual consumers that need support,” Robart said.

  • 02 Jun 2015 3:23 PM | Anonymous

    From  |  Eric Chabrow, June 1, 2015

    In assessing risk, computer security has three characteristics: confidentiality, integrity and availability. But not all of those traits help systems designers assess privacy risks. So the National Institute of Standards and Technology is developing a privacy risk management framework.

    NIST has issued a draft of the privacy framework, Interagency Report 8062: Privacy Risk Management for Federal Information Systems, which identifies the objectives of privacy risk as predictability, manageability and "disassociability." It's designed to be used by designers and engineers in building information systems that implement an organization's privacy goals and support the management of privacy risk.

    "We wanted to be able to build a distinct but complementary framework that would provide some of those tools to help understand where the overlap and distinctions are between security and privacy risk," says NIST Senior Adviser Naomi Lefkovitz, who worked on the report.

    Defining Disassociability, Other Traits

    According to the report:

    • Predictability enables reliable assumptions by individuals, owners and operators about personal information and its processing by an information system.
    • Manageability provides capability for granular administration of personal information, including alteration, deletion and selective disclosure.
    • Disassociability allows the processing of personal information or events without association to individuals or devices beyond the operational requirements of the system.

    How Security, Privacy Risks Differ

    Designers think of security risks as threats and vulnerabilities, and design systems to address them. But Lefkovitz points out that privacy risks are often caused by the way designers architect systems, even secure ones. Operations that process personally identifiable information could pose privacy threats. "When security people think about threats, they think of bad actors or events out of their control, such as natural disasters," Lefkovitz says. "But [in regards to privacy], it's the operation of the system that's giving rise to the risk."

    As an example, Lefkovitz points to smart metering of electricity. The systems can be built securely to protect the private information collected, but the data itself can reveal people's behavior inside their homes. In addition, the report says, security tools designed to safeguard PII from malicious actors, such as persistent activity monitoring, could reveal information about individuals that is unrelated to cybersecurity.

    The privacy framework NIST is developing also is creating a common vocabulary for privacy risk. "Privacy principles are these general, high-level terms, and it's hard for engineers and designers to translate them into specific requirements for the system," Lefkovitz says.

    As the draft report states, risk is often expressed as a function of the likelihood that an adverse outcome occurs multiplied by the magnitude of the adverse outcome should it occur. The draft examines this concept of risk and how it can be expressed in terms that facilitate improved identification and management of privacy risk.

    To aid agencies in using the privacy risk management framework and to apply the privacy risk model, NIST has developed an initial set of worksheets, collectively referred to as the Privacy Risk Assessment Methodology, or PRAM. This document describes the inputs to the PRAM, and provides examples for organizations to follow when applying the privacy risk management framework to their own systems.

    Privacy Risk Assessment Methodology

    Though NIST is developing the privacy framework for U.S. federal agencies, Lefkovitz says it could easily be adopted by other governmental and nongovernmental organizations, including entities in the private sector. Several organizations that are piloting authentication and identity systems for NIST's National Strategy for Trusted Identifies in Cyberspace have used worksheets in the privacy framework to help develop their projects.

    NIST is seeking feedback on the privacy framework that could be incorporated when the final version of the report is issued. NIST does not provide a firm date fir when it issues final versions of its publications, but publication often occurs within three to six months after releasing a draft. Comments should be sent to by 5 p.m. EDT, July 13 by using this comment form.


  • 01 Jun 2015 3:51 PM | Anonymous

    Tinker Ready, for HealthLeaders Media , June 1, 2015

    John Halamka, MD, the Beth Israel Deaconess Medical Center CIO who is co-chair of the federal HIT Standards Committee, shares his views on interoperability, information blocking, and the lifespan of Meaningful Use.

    John Halamka, MD, chief information officer of Beth Israel Deaconess Medical Center, has issues with the way both Congress and the federal government  see the state of health information technology. Last week he wrote in his blog about "how Congress… [has] entered the Trough of Disillusionment for EHRs and interoperability."

    Halamka spoke with HealthLeaders Media on May 29 about interoperability, Meaningful Use, and information blocking. The transcript has been edited for brevity and clarity.

    HLM: Interoperability has emerged as a major issue in the push for health information technology. Why isn't the system where Congress and the Department of Health and Human Services say it should be?

    Halamka: Think about Meaningful Use. The idea is—Stage 1—Let's get folks to adopt electronic health records. The country had about a 20% adoption rate. Stage 2 is to get them to start exchanging data. The concept was that, by Stage 3, we would be sharing data for care coordination, population health, genomics, clinical research, and all the rest.

    This has always been the plan. So people say, 'Wait a minute. Here we are in the middle of Stage 2. Where's all the interoperability?'

    It was a five-year project and we're just at the beginning of where we're supposed to be. We're on course. It's all OK. EHRs are recording data electronically. Systems are sharing data for many purposes—public health, lab results, syndromic surveillance, and transitions of care. And now we get to the next step and there are a few necessary requirements.

    HLM: What are those requirements?

    Halamka: Suppose you are seeing Dr. Bob over in Cambridge and he needs a copy of your records from Beth Israel Deaconess Medical Center. How do I know how to reach Dr. Bob? What is Dr. Bob's electronic address?

    It turns out that Massachusetts has a provider directory that provides that information. Most other states don't. So there is some enabling infrastructure that could be provided at a regional level and national level to help us route information from one place to another.

    It's not information blocking. It's not HIT vendors being reluctant or hospitals holding their data hostage.

    Similarly, suppose that you have a negative HIV test. In Massachusetts there is a law that says if you have an HIV result in your record, we need very special permission to exchange your record. It requires you to consent to disclose.

    It also requires that for every episode of care, for every doctor, you have to have another consent for that data to be viewed. You've already said you are completely fine sharing your HIV results, but you are going to be consented every time you go to the doctor.

    We have this heterogeneous fabric of privacy laws across our states.

    HLM: A national patient identifier would accelerate interoperability. You suggest a program for a voluntary identifier. Is there any effort to change privacy laws preventing the creation of a mandatory identifier?

    Halamka: There are always going to be some people who say, 'I don't like anything, whatever it is.' What if I had safe, coordinated efficient care, with mandatory national identifiers? 'That's too much government. I worry about my privacy, and I don't want a national identifier. I'm a human, not a number.'

    There are others who say, 'If my care would be more efficient and safer and higher quality, I would very happily have an identifier for healthcare because I don't' want the wrong kidney removed.' So, with that spectrum… the only thing we can do is voluntary.

    HLM: ONC and some lawmakers think that one of the barriers to interoperability is information blocking. They define it is as companies limiting data sharing, or overcharging to set it up as a way to gain a competitive advantage. Can you describe how you see this issue?  

    Halamka: You have policy makers saying, 'There's no interoperability.' It must be the vendors or it must be the hospitals, or it must be the standards. But, it's more complex than that.

    Unfortunately, Congress, which often wields the blunt instrument of legislation, says we'll just make information blocking illegal and that will fix all the problems. No. It doesn't really help.

    HLM: You describe reaction to information blocking as reaction to the Loch Ness monster—everybody is talking about it, but nobody has seen it. Do you think information blocking is a myth?

    Halamka: I have never seen it. If the definition of information blocking is that the vendors have all hired Chief Information Blocking Officers who spend their nights thinking about ways to restrict information flow, I've never seen it. Find me one example.

    HLM: ONC says it's gotten 60 reports of information blocking. Might it be happening in a less obvious way?

    Halamka: I am guy who has no agenda. I am not dogmatic. I will evaluate any evidence that it put front of me. Maybe there's a niche vendor that's doing it, but I've never found a mainstream vendor who is going to go against the wishes of its customers to exchange data.

    HLM: One complaint is not that vendors refuse to share data, but that they are charging a lot to do it.

    Halamka: The question is, what's a lot of money and what is the work involved? If people complain that 'my lab interface was $5,000, well, if it's a novel lab interface that's never been done before, it is a substantial amount of work to map all the lab tests.

    It actually takes me about 16 weeks to produce a lab interface. So I don't think $5,000 is unreasonable. Others may. Again, look at the data. Let's see what people want done and what's being charged for it.

    HLM: You have said that companies could also use a law against information blocking to their competitive advantage. Would they do that by filing complaints to hinder competition?

    Halamka: They could say, "We lost this deal to ABC vendor. They are information blockers. Let's send OIG [the Office of Inspector General] and the FTC [Federal Trade Commission] to torture them for years. "

    HLM: Can you describe your objections to Meaningful Use Stage 3?

    Halamka: Meaningful Use Stage 1 was a wonderful foundation. It really brought us up to a level where everyone is using electronic health records that are good enough.

    Stage 2 got a little bit aggressive. It moved too fast and was too much. We didn't' have enough time between when the regulations were finalized and the reporting period began for the vendors to actually create easy to use products. They had to really rush these things through development. It was a disservice to the industry to move that fast.

    Now Stage 3: With accountable care organizations and various kinds of patient-centered medical homes, we are starting to develop quality registries and interoperability. The private sector has incentives to do all this stuff. So, at this moment, we don't really need more regulation. We just need more time.

    If you want to put out a few merit-based incentive programs, fine. But it's probably time to retire the Meaningful Use construct and just let the private sector, with incentives from the ACA, go forward for the next few years.

    HLM: So you think Meaningful Use Stage 3 should be abandoned?

    Halamka: If you want to call Meaningful Use Stage3 a small number of merit- based incentives, that's OK. But to create 731 pages of regulations that are going to co-opt the agenda of vendors and providers seems like a mistake.

    HLM: Wasn't the original idea behind Meaningful Use accountability? We're going to give you money for an HIT system, but we need to make sure you are using in a way that benefits your practice, patients, and payers.

    Halamka: So, do that with ACA. You are going to be paid for outcomes—keeping people healthy. You can't do that unless you've implemented IT effectively. I love the idea of payment based on outcomes. But don't prescribe—with 731- pages—the minutiae I have to do for every process to get there.

    HLM: What is your advice to hospitals that are trying to make sense of all this?

    Halamka: Don't listen to the rhetoric. These issues are complicated. They involve people and politics and technology. There is no magic bullet here. There is just hard work. If we all agree that we want to make patient care better in this country and that we are going to look at a roadmap and step-by-step make it better.

    That's where we need to focus. Let's not eliminate this committee and form another. Let's not go blame the vendor. Those are simplistic, naïve solutions. We just need to keep our eye on the prize and make progress.

  • 01 Jun 2015 10:25 AM | Anonymous

    retrieved from  |   May 29, 2015

    Federal regulators appear to be getting closer to conducting the next round of HIPAA compliance audits, so now is the time for covered entities and business associates to prepare for potential enforcement scrutiny, says healthcare attorney Brad Rostolsky.

    The Department of Health and Human Services' Office for Civil Rights recently began sending screening surveys to covered entities and business associates to identify potential candidates for the upcoming phase two of OCR's random HIPAA compliance audits.

    A copy of the OCR survey that's available on the Office of Management and Budget website says: "This screening questionnaire is intended to gather data about the size, complexity, and operations of potential auditees for the HIPAA Privacy, Security and Breach Notification Audit Program."

    The survey notes: "Data will be used with other information to help us select entities that reflect a variety of types, size and locations for the Audit Program. Please note that if your organization is selected for audit, communications from OCR will be sent to the email addresses of the contact persons identified below."

    A description of the survey on the OMB website says OCR is approved to send out surveys to 500 covered entities and 200 business associates.

    An OCR spokeswoman declined to offer more details on the timeline for the audits. "OCR can confirm that we have started verifying contact information for covered entities," she says. "Additional information about the audit program is forthcoming. Check our website for updates."

    Just because a covered entity or business associate receives a pre-audit survey from OCR, it doesn't necessarily mean they'll definitely be audited, Rostolsky says in an interview with Information Security Media Group. "However, it narrows the pool."

    Time to Prepare

    All healthcare organizations and business associates need to take steps now to prepare for a potential audit, a breach investigation or other inquiry from federal regulators, Rostolsky says.

    "Now, before anyone receives a screening or any other OCR inquiry ... take a moment while there is no chaos going on and do a good status check on your overall compliance efforts," he urges.

    "Make sure your policies and procedures are in place; you've conducted your security risk assessment ... and it's been updated. Make sure you've been conducting [security] training and have evidence of that training."

    Also, in anticipation of an audit or other potential regulatory enforcement actions, Rostolsky urges organizations that have had health data breaches or HIPAA violations to carefully reassess their actions in the aftermath of the incidents. "Take a look at your files in terms of how you've handled incidents of potential privacy rule violations. Did they amount to breaches, and when you determined the breaches, did you follow the rules correctly? Understand what you have in your files so that you're prepared for what OCR is going to see."

    In the interview, Rostolsky also discusses:

    • The differences between potential audits of covered entities versus business associates;
    • What OCR will likely examine during HIPAA compliance audits;
    • How to prepare for on-site versus remote desk audits. OCR officials have previously said both types of audits might be conducted, depending upon available resources (see HIPAA Audits: A Revised Game Plan).

    OCR did not immediately respond to an ISMG request for comment on the status of the HIPAA audit program plans.

    Rostolsky is a partner in the life sciences health industry group at the law firm Reed Smith. With a focus on healthcare regulatory and transactional law, he leads that group's HIPAA and health privacy and security practice. He's also a member of the firm's global Ebola task force. Rostolsky has extensive experience advising clients on all aspects of health information privacy and security compliance.

Massachusetts Health Data Consortium
460 Totten Pond Road | Suite 690
Waltham, Massachusetts 02451

For more information,
please contact us at

join our mailing list

© Massachusetts Health Data Consortium