D.C. Report: IOM Health IT Report Released, HITSC Seeks Comments, HIE Standards Confirmed

IOM Drops Long-Anticipated Report on Health IT and Patient Safety Washington was abuzz this week with the release of the Institute of Medicine’s 197-page report "Health IT and Patient Safety: Building Safer Systems for Better Care.” The much anticipated report said that current market forces are not adequately addressing potential risks associated with use of health IT and that more attention needs to be brought to patient safety and EHRs. IOM made ten recommendations (.pdf), including the need for HHS to develop a multi-stakeholder strategy within one year to “assess the impact of health IT on patient safety and minimizing the risk of its implementation and use.” Another recommendation would establish two new federal bodies: the HHS Health IT Safety Committee would set criteria for the safe use of HIT; while an independent federal agency modeled after the National Transportation Safety Board would investigate incidents. These recommendations were given in light of “mixed opinion on how FDA regulation would impact the pace of innovation but identified several areas of concern regarding immediate FDA regulation.” Some members of the report favored a scheme that gave FDA the authority to regulate EHRs as “Class III” devices – the most strictly regulated of medical devices – while others felt the FDA would likely restrict market innovation in health IT, which could also jeopardize patient safety.

However, Recommendation 9a states: “If progress toward safety and reliability is not sufficient as determined by the Secretary, the Secretary should direct the FDA to exercise all available authority to regulate EHRs, health information exchanges, and PHRs.” And 9b follows: “The Secretary should immediately direct the FDA to begin developing the necessary framework for regulation. Such a framework should be in place if and when the Secretary decides the state of health IT safety requires FDA regulation as stipulated in Recommendation 9a above.” See also, Dr. Farzad Mostashari’s response to the IOM report in a blog post on the ONC’s website.

CHIME is examining the IOM report for possible response. Please contact Sharon Canner or Jeff Smith for more information.

ONC Advisory Group Seeks Comments on Exchange Specifications Through a post on the Federal Advisory Committee Blog this week, the Health IT Standards Committee (HITSC) is seeking comments from anyone who has experience exchanging information through the Nationwide Health Information Network (NwHIN) using Exchange specifications and protocols. On September 28, 2011, the HITSC provided recommendations regarding standards and specifications for the nationwide health information network, via a transmittal letter (.pdf). As part of the transmittal letter, HITSC recommended that ONC perform further assessment of industry adoption, and deployment, operational, and administrative complexity of the Exchange specifications – especially from those who have implemented these specifications in organizations other than Federal agencies, and from organizations that have implemented a technology stack different from that represented in the Exchange specifications. ONC requests feedback on fourteen questions ranging from wanting to know the business function supported by Exchange in your organization to asking how easy or difficult the Exchange specifications were to understand, interpret, and implement. Find out more information on the Request for Comment here.

HIPAA Compliance Audits on the Horizon According to the HHS Office of Civil Rights, a pilot audit program to ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification standards has begun. A three-step process has been in development since July and a test of twenty initial audits will begin in November and go through April, OCR indicated on its website. The OCR responded by saying the audit program launched Nov. 4 with the sending of notification letters to five of the first 20 entities to be audited. The OCR intends to complete upwards of 150 audits by the end of calendar 2012. According to OCR, audits are primarily a compliance improvement activity. The Office will review the final reports, including the findings and actions taken by the audited entity to address findings and the aggregated results of the audits will enable OCR to better understand compliance efforts with particular aspects of the HIPAA Rules. “Should an audit report indicate a serious compliance issue, OCR may initiate a compliance review to address the problem, the Office said, “OCR will not post a listing of audited entities or the findings of an individual audit which clearly identifies the audited entity.”

Multistate Workgroup Agrees to HIE Standards A broad coalition of eight state health information organizations (HIOs) and eleven health IT vendors have agreed to a set of technical specifications that they hope will help standardize health information exchange. The EHR/HIE Interoperability Workgroup was established by the New York eHealth Collaborative (NYeC) and is comprised of its federally designated counterparts in seven states, including California, Colorado, Maryland, Massachusetts, New Jersey, New York, and Oregon. The Workgroup has published Version 1.0 of specifications on two use cases for a compliant Continuity of Care Document, with corresponding functional and technical specifications for each. The first use case, Statewide Send and Receive Patient Record Exchange, describes how encrypted health information can be transmitted over the internet. Developments made by the Direct Project and the Nationwide Health Information Network Exchange informed the Send and Receive use case. The second, the Statewide Patient Data Inquiry Service Use Case, describes the clinician’s ability to query an HIE for relevant data on a specific patient. Specifications for this second use case identify how the consortium agrees to leverage the IHE Profiles and NwHIN Exchange production specifications to facilitate patient queries and CCD retrieval. The documentation included in the Statewide Patient Data Inquiry Service includes a Functional Specification, Technical Specification, Summary CCD Document, and CDA Source of Information.

Health Data Privacy Takes Center Stage during Capitol Hill Hearing The Senate Judiciary Privacy, Technology and the Law Subcommittee held a hearing November 9, 2011 titled “ Your Health and Your Privacy: Protecting Health Information in a Digital World.” In his opening statement, Chairman Al Franken (D-Minn.) conveyed his understanding in the power of health information technology to improve health outcomes and make care more efficient. However, he also acknowledged a growing need to address privacy concerns with the healthcare industry making such a push to go digital. Ranking minority member Tom Corburn (R-Okla.), a physician himself, expressed reservations that electronic health information can ever be adequately secured and wondered if the EHR Incentive Program was the correct course of action. “I have a real concern both for the privacy issue but also the goal that we're trying to accomplish may not be accomplishable,” he said.

Chairman Franken also strongly called for the Obama Administration to publish the final enforcement rules for business associates under HIPAA two and a half years after passage of the HITECH Act (part of the American Recovery and Reinvestment Act of 2009). He emphasized that the public’s trust in the privacy and security of their health information is necessary to gain the widest adoption of electronic health records and health information exchange and to reap the full benefits they will bring to our healthcare system.

Among the witnesses Kari Myrold, Privacy Officer at Hennepin County Medical Center in Minneapolis, MN focused on how the I-35W Bridge collapse in 2007 solidified for her hospital why electronic health records were the way to go. Doctors at Hennepin realized the value of being able to tend to those victims more quickly and more effectively by calling up patients' charts and track patients throughout the hospital and in other systems far easier than paper records. Kari also mentioned that Hennepin has continued to invest in EHRs; under the leadership of CIO Joanne Sunquist, Hennepin successfully attested to Meaningful Use in August. She continued during the Q&A to talk about the big picture of why hospitals put so much effort into securing patient data. “Patients need to be comfortable and have confidence in their providers so that when they're in there seeking treatment they want to make sure that they're able to disclose everything that they need to disclose in order to get the right treatment. And having that confidence means that their information is going to be protected.”