EXECUTIVE SUMMARY
State legislation poses an added layer of challenges for CIOs in meeting privacy and security, patient consent, technology, and payment reform that go beyond federal mandates.
When it comes to health IT policy mandates, regulations and legislation, Meg Aranow may have different opinions depending on which hat she is wearing on any given day.
As vice president and chief information officer for 508-bed Boston Medical Center in Massachusetts, Aranow thinks she knows what is best for her organization and the right pace of change for her institution. “Your attitude tends to be, I am smart and well intentioned, so leave me alone.”
But as a member of the Massachusetts Health Information Technology Council, charged with overseeing implementation of statewide interoperable health records by Jan. 1, 2015, she sees things quite differently. “As a member of the council, I have a much greater appreciation for the role of policy and legislation to move groups of people at a faster pace.”
And in Massachusetts, legislation pre-dating the Health Information Technology for Economic and Clinical Health (HITECH) Act has serious consequences for non-complying providers. Chapter 305 of the 2008 legislative session the Massachusetts Legislature requires that hospitals and community health centers use interoperable computerized physician order entry (CPOE) systems by October 2012 as a condition of licensure. By 2015, physician licensure will be conditioned on demonstration of competency in CPOE, e-prescribing, and other forms of health IT, as determined by the Board of Registration in Medicine.
With so much media and consulting firm attention focused on federal efforts to promote health information technology adoption, the role of state legislation is often overlooked. But in many states, including California, Massachusetts, New York, and Minnesota, health IT incentives and mandates preceded the HITECH Act, and CIOs in those states must calibrate their efforts to respond to both meaningful use and state-level requirements, which can be especially tricky when it comes to privacy and security guidelines.
Traditionally, state privacy laws have been scattered rather than uniform, notes Helen Oscislawski, a Princeton, N.J., attorney who is a member of the New Jersey Health Information Technology Commission. State laws about privacy and security were written for a paper world and most haven't caught up yet, she adds. “For instance, here in New Jersey there have been laws that apply to licensed ambulatory care centers and different laws that apply to hospitals about consent for sharing data.”
Oscislawski says that the national push to share data outside the four walls of an institution is forcing state legislatures to make their own judgment calls on privacy and consent issues and legislators must weigh the practical impact of laws they pass.
“CIOs would like one simple set of rules,” she says, “but unfortunately they have to look at both federal and state rules and follow whichever is most stringent.”
Some CIOs say that tracking the combination of new federal and state rules is daunting. “There is a rainstorm of new regulations and incentives from Washington, some of them doing wonderful things, in HITECH and PPACA [Patient Protection and Affordable Care Act]” says Tina Buop, chief information officer for Muir Medical Group IPA, a multi-specialty IPA of more than 600 physicians in Walnut Creek, Calif. “But with so many requirements changing, it is a challenge to find them all and have them in one place. Add in state requirements, and it is incredibly difficult to keep up.”
Although she has served on the California Privacy and Security Advisory Board, Buop says she still has difficulty keeping up to date. In California, she has her eye on three pieces of legislation, two of which have been signed into law. AB 211 requires providers to implement specific safeguards to patient data security and SB 541 increases the fees across any breach and the disclosure reporting requirements. Covered entities in California may face both state and federal investigations in breaches affecting more than 500 records.
Not yet signed into law, SB 850 would require an electronic health or medical record system to automatically record and preserve any change or deletion of electronically stored medical information, and would require the record to include, among other things, the identity of the person who accessed and changed the medical information and the change that was made to the medical information.
“At Muir, we have tight change controls and a tracking system,” Buop says, “but what if a physician started to write a prescription and then realized it was for the wrong patient. As the hosting organization, would we have to automatically preserve the initial mistake, which may require additional archiving and cost physicians more? Every time the legislature passes something like this, there is a financial impact for hospitals and physicians.”
From a technical standpoint, she adds, rules that are uniform across the country are much easier for software vendors and for implementation teams to put in place.
DON'T MESS WITH TEXAS' PHI
Also on the privacy and security front, the Texas Legislature raised some eyebrows this year by passing HB 300, which among other things, requires ongoing employee training about laws concerning protected health information (PHI) and increases penalties for the wrongful disclosure of PHI.
“It's ironic that a Republican-controlled legislature that is against most forms of regulation would pass something like this unanimously,” says Michael Silhol, an attorney in the healthcare practice group of Haynes and Boone LLP in Dallas. “This is pretty heavy-handed. It replicates a lot of HIPAA, but these people believe HIPAA doesn't go far enough.” The biggest difference, he says, is in the definition of a covered entity. “You have one definition for HIPAA and HITECH and another for Texas.”
“What it does more than anything else is monkey with the thresholds,” says Michael Frederick, chief information security officer at Baylor Health Care System in Dallas. For instance, HB 300 shortens the window of time to respond to a request from patients for their EHR data in electronic format to 15 days from 30 days, the federal standard under HIPAA. The biggest impact on hospitals might involve training. An employee must complete training about handling PHI within 60 days of hire and such training must be repeated at least once every two years, a more stringent requirement than the HIPAA Privacy Rule.
Tony Gilman, CEO of the Texas Health Services Authority (THSA), a public-private cooperative charged with developing standards for interoperable healthcare in the state, says Texas has always had a strong history of protecting patient information, “so it wasn't surprising that this was something the legislature chose to address as we move from paper to electronic exchange of information. We have had a different definition of covered entity since 2001, but this extends the current law from a paper domain to an electronic one.”
I THINK IT IS VERY BENEFICIAL TO HAVE THIS CLARITY AT THE STATE LEVEL. WE SEE THE FEDERAL REQUIREMENTS AS THE FLOOR AND BY NO MEANS THE BEST PRACTICES. -EDWARD MARX
Edward Marx, senior vice president and chief information officer for 24-hospital Texas Health Resources and THSA chair, says THSA made a concerted effort to get input from CIOs and CISOs and held stakeholder meetings prior to HB 300′s passage.
“I think it is very beneficial to have this clarity at the state level,” Marx adds. “We see the federal requirements as the floor and by no means the best practices. I think the CIOs in our state don't accept just meeting minimum standards. Why not take it to another level and raise the bar for ourselves?”
LEGISLATING CONSENT
Besides the security and governance of health information exchanges, state legislatures, and designated HIT entities are grappling with patient consent issues. In this year's legislative session in Maine, a bill drafted with the support of the Maine Civil Liberties Union was introduced that would require the state's HIE to switch from an opt-out model of consent to opt-in, which leaders of the state's HealthInfoNet HIE thought would be unworkable. A compromise was crafted that gives patients a separate form about the HIE and explicitly offers the opportunity to opt out.
That contentious issue is being played out all across the country. “Consent is going from the theoretical to the implementation phase and adjustments are having to be made,” says Ree Sailors, program director of health IT for the National Governors Association. Some states that started with Medicaid as the lead agency began with opt-out as the default and have had to adjust as the public learns more about health data exchange, she adds.
Boston Medical Center CIO Meg Aranow believes that it would help to have privacy and consent policies developed on the national level. “Having each state work out their own rules and then have to harmonize with each other for interstate exchange is more work than necessary,” she says.
The Commonwealth of Massachusetts is still working on establishing privacy and security rules for statewide health data exchange. But Aranow believes that Chapter 305 was well constructed to promote widespread health IT usage. “In terms of legislation, it was as good as it gets,” she says. “I don't expect legislators to come down here and work for a month to better understand the issues. There was input from CIOs, filtered through policy makers and then through legislative staff members, she adds. “Of course, the CPOE aspect is going to be a greater challenge for some hospitals than for others,” Aranow says. “It is a challenging time anyway for community hospitals financially.” But the legislators understood that the key to getting many entities to make changes is a long ramp time, she says.
Rick Shoup, director of the Massachusetts eHealth Institute and the state-designated health IT coordinator, says his office is working closely with providers to make sure they can meet the Chapter 305 goals, as well as meaningful use goals. Most of the 72 hospitals in the state are making progress toward the 2012 CPOE deadline, he says, and there may be funding in the Regional Extension Center to help ones that are having difficulty. “We are very metrics-driven and report to the HIT Council, the Massachusetts Technology Collaborative board and the Legislature on progress toward these goals,” Shoup says. “We already have 75 percent adoption of EHRs.”
Like Massachusetts, Minnesota has been a leader in legislating the use of health information technology. It has had an e-health initiative since 2004. Minnesota has e-health mandates involving e-prescribing by 2011 and the use of interoperable electronic health records by 2015. Recent legislation also specifies rules about how health information organizations exchange data.
Unlike in Massachusetts, Minnesota's e-health mandates have no enforcement mechanisms, notes Liz Cinqueonce, the deputy director of the Minnesota Department of Health Office of Health Information Technology. The state has had to align its efforts with federal efforts. “After the HITECH Act passed, we had several calls from people unsure whether to continue work to meet the state e-prescribing mandate or work toward broader EHR goals of meaningful use that include e-prescribing,” she says. “Our answer was that if they could demonstrate that they were working toward the larger goal, they shouldn't make any decisions or purchases that are just to meet the short-term e-prescribing goal.”
The state's EHR mandate is complementary to meaningful use and its timeline is still a few years out, she says.
The state has begun gathering and publishing data on a series of e-health measures. “We use this assessment data to see who is advancing and who is not,” Cinqueonce says. “It can help monitor advancement toward meaningful use and identify barriers and needed resources. In some cases it may be workforce rather than software or funding issues.”
TOWARD PAYMENT REFORM
Next up on the agenda of many state legislatures is payment reform, and that will include definitions of the role of health IT as the infrastructure. Hospital CIOs should be paying attention to state efforts related to integrated delivery systems, ACOs, payment reform and the ability to measure and report performance, says Lynn Dierker, senior program director for the National Academy for State Health Policy. “States like Colorado and Vermont that are working on their own pioneering efforts at payment reform recognize that they have to be built on top of their IT platform,” she adds, “and the legislatures have to define how quality measures are reported.”
Some states may pass legislation that requires quality reporting through the state HIE to help with its sustainability case, NGA's Sailors adds. “They want to discourage Lone Rangers who don't share data outside their own health systems.”
Rick Shoup expects the Massachusetts Legislature to tackle payment reform in 2012. “It will be hard to participate in that without the systems in place and connectivity. So we have to get our specialists, behavioral care, and long-term care providers involved in HIEs.”
Healthcare Informatics 2011 November;28(11):18-23