Archives: Governance Issues

This is the seventh installment in a series of blog posts that relate to the governance concerns surrounding developments in HIPAA, HITECH and HIT.

For a number of months this series has been emphasizing the importance of establishing a credible and knowledgeable liaison at the governing body and/or senior administrative level to articulate and educate the diverse stakeholders about the new challenges and initiatives in HIPAA and HIT. The liaison should be a champion and advocate for a rational and comprehensive approach for HIT.

The increasing complexities and costs of new IT systems and the need to demonstrate their “meaningful use” has greatly raised the stakes in this area for hospitals. Errors or false starts in HIT and the financial consequences of HIPAA violations under HITECH can be materially injurious to the organization’s finances, public image, internal stability and quality of patient care. It can also cause the loss of potential subsidies from HITECH.

Often the IT leader at a hospital does not have sufficient standing or skills set to serve as the champion. It was not the principal reason that he or she was hired. In such a case the governing boards should recruit either a knowledgeable board member or a senior staff person to serve this function.

The article on October 20, 2009 by Molly Merrill, Associate Editor of Healthcare IT News, adds further confirmation of the need for a qualified IT champion.

Ms. Merrill wrote that a new survey, conducted by Ponemon Institute and sponsored by San Jose, California-based LogLogic, shows that IT practitioners believe their organizations are lacking when it comes to protecting patient information. Moreover, Ms. Merrill continues, “[a]ccording to the study, 61 percent of [IT] practitioners believe their organizations don’t have enough resources to meet privacy and data security requirements – and 70 percent think senior management doesn’t consider it a priority.”

Ms. Merrill quotes the survey as concluding the following:

Without resources and support from senior management, preventing the loss of data may be very difficult. We recommend that organizations pursue a strategy of assigning accountability for the protection of electronic health information, appropriate technology to prevent the insider threat (such as DLP [data loss protection] solutions) and senior management buy-in for the necessary resources to get the job done right. [Emphasis supplied]

This survey underscores the frustrations and challenges that are present for the majority of IT leaders at hospitals. They may lack the standing within the organization to make a meaningful impact on senior management and the governing boards. Even if they hold a high level position within the organizations and are highly proficient in their jobs, they may lack be sufficient champions to interpret their complex world to their senior management and governing boards. It is incumbent on these organizations to identify a champion who possesses the skills to absorb and interpret the complex IT world for stakeholders who have limited knowledge of the subject.

[To be continued in Installment 8]

[Installment 6 – Governance Considerations from HIT for the Board and Other Hospital Stakeholders]

On August 4, 2009 the Associated Press reported at http://www.usatoday.com/news/health/2009-08-04-electronic-medical-records_N.htm that Sac-Osage Hospital, a 47-bed hospital in rural western Missouri, “is borrowing nearly $1 million to pitch its paper medical charts and purchase a state-of-the-art electronic health records  [EHR] system. The hospital is hinging its survival on what it hopes will be a $3 million windfall of federal incentives for hospitals that go digital.”

This survival strategy for Sac-Osage Hospital is hazardous because there is an inherent risk in the hoped-for windfall in 2011 under the economic stimulus law. As the AP report goes on to states: “The risk lies in the federal government’s ultimate definition of what constitutes a ‘meaningful use’ of electronic records.”

As I reported in my fifth blog post on July 28, 2009, health providers will have to meet minimum prescribed standards (the meaningful use) for their EHRs if they are to benefit in the future from the federal economic stimulus package under the HITECH Act to recoup a portion of the heavy costs that they will incur to implement their EHRs programs. 

The bet that Sac-Osage Hospital says it is making by borrowing to invest in EHRs is the highest – the very survival of the hospital. Its Board and Administration have clearly made the determination that other possible alternatives for capital financing and investment by the hospital will not have the monetary potential return of the HITECH windfall. It is somewhat sobering that Sac-Osage Hospital bases its financial survival plan not on more effective delivery of healthcare or new treatment modalities but on digitalization of its health records. However, a positive by-product of EHRs and the demonstration of “meaningful use” that will be needed to realize the fruits from HITECH of an investment in EHRs presumably will be fewer medical errors, a more efficient healthcare delivery system and a higher quality of care.

Unfortunately for Sac-Osage Hospital and other health providers seeking to benefit from the HITECH windfall, the landscape for qualification could change markedly over the next two years. As technology evolves, the expectations as to what constitutes meaningfully use may rise. Sac-Osage Hospital and other small rural hospitals will also be competing for a share of HITECH money with larger and more well-financed institutions that are much further advanced with EHRs. 

Other challenges can come not just from the crystallization of “meaningful use” but also the enactment of the health reform package that is looming ahead. The package itself may directly or indirectly affect how EHRs are to be generated and used, thereby impacting programs for implementing HIT. 

Hopefully, the substantial majority of hospitals are not in a mode that their survival depends on the stimulus money from implementing EHRs. However, the Boards of health care providers cannot afford false starts and mistakes if they are to meet the meaningful use standards of the HITECH Act on a timely basis. These matters must be appropriately analyzed and monitored continuously at a high level in the hospital, with committed Board oversight. 

 [To be continued in Installment 7]

[Installment 5 – Governance Considerations from HIT for the Board and Other Hospital Stakeholders] 

This is the fifth in a series of blog posts that relate to the governance concerns surrounding developments in HIPAA, HITECH and HIT. 

The other week, two separate and apparently unrelated events occurred on consecutive days with respect to electronic health records (“EHRs”) that dramatically underscore the focus of this series. Governing Boards of hospitals and other stakeholders must place a very high priority in their struggle to cope with the new and somewhat uneven landscape of health information technology (“HIT”).

On July 16, 2009, Health Data Management reported that “[t]he federal HIT Policy Committee has approved revised recommendations of a workgroup for an initial definition of ‘meaningful use’ of electronic health records systems. The report goes on to emphasize that “[t]he definition is important because providers must demonstrate meaningful use of EHRs to qualify for Medicare and Medicaid incentive payments starting in 2011 under the economic stimulus law.”

Therefore, health providers will have to meet minimum prescribed standards for their EHRs if they are to benefit in the future from the federal economic stimulus package under the HITECH Act to recoup a portion of the heavy costs that they will incur to implement their EHRs programs. 

On the following day, July 17, 2009, the federal Department of Veterans Affairs (“VA”) published a press release on its Web site that it will temporarily halt 45 information technology projects which are either behind schedule or over budget. These projects will be reviewed by the VA, and it will be determined whether these projects should be continued. The release goes on to say that each of the 45 affected projects will be temporarily halted with no further development until a new project plan that meets the requirements of Program Management Accountability System is created.

Some of the titles of the VA projects that will be halted include significant EHRs-related projects such as “Health Data Repository II,” “Clinical Data Service,” “Home Telehealth Development,” “Occupational Health Record Keeping System,” “Lab Data Sharing & Interoperability – Anatomic Pathology/Microbiology” and many others.

By simply securing additional funding from Congress, the VA, as an agency of the federal government that is generally a favorite of the legislators, can retool and retrench its EHRs initiatives after making a relatively embarrassing press release and perhaps enduring some criticism and lost time. 

The Boards of health care providers do not have the luxuries of the VA. They simply cannot afford false starts and mistakes if they are to meet the meaningful use standards of the HITECH Act on a timely basis. As this blog has stated in earlier installments, the survival of many hospitals is threatened by the uncertainties of possible health care reform, declining patient population, reduced reimbursement, heavy regulation, intense competition, dwindling donor contributions and heavy endowment losses for non-profit hospitals, a history of unclear returns from past substantial investments in HIT and many other factors. The costs of mistakes for the private sector hospitals are not simply the embarrassment or lost time of the VA. They are the huge outlays for conversion to EHRs and the potential for losing access to the federal stimulus funds.

These questions and others must be properly considered at a high level in the hospital, with committed Board oversight, in order to avoid or mitigate liability and loss that will result from expensive choices made with inadequate or incomplete information. 

 [To be continued in Installment 6] 

[Installment 4 – Governance Considerations from HIT for the Board and Other Hospital Stakeholders].  This is the fourth in a series of blog posts that relate to the governance concerns surrounding developments in HIPAA, HITECH and HIT.

Over the next several months, my blog entries will continue to discuss some of the threshold issues that face the manifold stakeholders in the hospital industry as they struggle to cope with the new and somewhat uneven landscape of health information technology (“HIT”) and protected health information (“PHI”). A major focus will be Boards and their responsibilities to their hospitals and other stakeholders with respect to HIT.

Securing PHI

One of the issues facing Boards is the relatively risky and murky area of “securing” PHI under the HITECH Act. The HITECH Act directed the U.S. Department of Health and Human Services (“DHHS”) and the Federal Trade Commission (“FTC”) to issue regulations further detailing the required security breach notifications. Both departments have proposed such regulations and are seeking public comment. Final regulations are to be issued by the departments by August 17, 2009, as required by the HITECH Act.

DHHS has issued guidance on which technologies and methodologies can be used by hospitals to “secure” PHI. The outlined technologies render PHI unusable, unreadable or indecipherable to unauthorized individuals. A breach of secured PHI does not trigger HITECH security breach notification requirements. Following the guidance from DHHS will create the functional equivalent of a safeguard for hospitals and other providers and satisfy compliance with HITECH.

Encryption and Destruction of PHI under DHHS Guidelines

DHHS identifies two methods for rendering PHI “secured”: encryption and destruction. Encryption is the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning to the data unless an individual uses a certain process or has a key. DHHS regulations state that the valid types of encryptions processes to use will be those that are consistent with National Institute of Standards and Technology (NIST) standards for encryption. NIST has published a Guide to Storage Encryption Technologies for End User Devices. It is available at http://www.nist.gov/index.html.

The second method, destruction, will also secure information found in paper or electronic format. The paper or other hard copy media must be shredded or destroyed in a manner that the PHI cannot be read or otherwise reconstructed. Electronic media is to be cleared, purged or destroyed. Destruction should also be performed consistent with NIST standards. NIST has published Guidelines for Media Sanitization. It is available at http://www.nist.gov/index.html.

Board Oversight Obligations to Secure PHI

In satisfying DHHS requirements for “securing” PHI, Boards must establish appropriate and effective safeguards and security measures so that the risk of failure to comply with destruction policies is minimized. The use of improper, careless or noncompliant techniques for encrypting or destroying PHI by a hospital carries with it a high risk of damage control expense, penalties for noncompliance, devastatingly adverse publicity and potential for liability for widespread liability to victims whose PHI has been compromised.

Boards of healthcare providers must devote sufficient resources that are supervised by competent personnel at a sufficiently high level in the corporate organization to secure PHI. The resources invested up front for orderly risk management are well worth the avoidance of the costs of damage control. Monitoring and feedback to the Board on the effectiveness of the efforts are a necessary follow-up.

When the final regulations on securing PHI are issued by DHHS and the FTC, this blog will address some of their principal points.

[To be continued in Installment 5]
 

[Installment 3 – Governance Considerations from HIT for the Board and Other Hospital Stakeholders]

This is the third in a series of blog posts that relate to the governance concerns surrounding developments in HIPAA, HITECH and HIT. Jim Landers of the Washington Bureau of the Dallas News  wrote an article that was published on June 24, 2009, entitled "Administration: Hospitals unwilling to share electronic records will miss out on billions in stimulus funds." His article prompted me to write on the topic as part of this series. 

 

In his article Mr. Landers stated:

 

The Obama administration’s point man on electronic medical records [David Blumenthal, national coordinator for Health Information Technology] warned Tuesday that hospitals unwilling to share such files [electronic health records or EHR] with their competitors would not be eligible for billions of dollars in economic stimulus funds.

 

Mr. Blumenthal was further quoted by Mr. Landers as follows: “There’s a fair amount of money in the law for hospitals that adopt interoperability [the means to share EHRs]. If they don’t, they’re not likely to be eligible for payment."

 

Mr. Landers correctly points out that many hospitals would be concerned that such free sharing of EHR among hospitals could give rise to the potential for losing patients to competitive institutions. I believe that, faced with deepening economic pressures and more highly educated patients with abundant choices, hospitals and their governing bodies must be increasingly concerned about material collateral issues that arise from sharing EHR with their competitors. 

 

I would add to the observations of Mr. Landers that embedded in EHR in one form or another could be relatively proprietary financial and business information regarding costs, charges or reimbursement of the hospital and/or treating physicians. In the exchange of EHR among hospitals, such proprietary information could be included. There exists a potential for the violation of antitrust laws for sharing of sensitive pricing and business information among competitors. The effect of such a violation could be a major financial and public relations fiasco for the hospitals. Removal or de-identification of such proprietary information could be costly or relatively impractical. This aspect warrants review by competent legal counsel and information technology and financial experts for the hospital. 

 

The ever-increasing momentum for acceleration of hospital conversion to EHR creates challenges and opportunities for a hospital and its governing board. On the one hand a hospital’s initiatives in this area can possibly make the hospital eligible for stimulus money to assist in the expensive cost of conversion to EHR. On the other hand there must be careful analysis at the governing board level of such an initiative in light of the risks involved.

 

These questions and others should be properly considered at a high level in the hospital, with board oversight, in order to avoid or mitigate liability and litigation, maintain the hospital’s reputation for candor and transparency and avoid the adverse publicity of regulatory violations and penalties.  

[Installment 2 – Governance Considerations from HIT for the Board and Other Hospital Stakeholders]

This is the second in a series of blog posts that relate to the governance concerns surrounding HIPAA, HITECH and HIT.  It is, however, not the second posting that I had originally planned. A front-page article on May 25, 2009 in the New York Times by Pam Belluck, entitled “Hospitals Using Internet to Interact with Public,” prompted me to write on this topic as part of the series

In her article Ms. Belluck stated, “Faced with economic pressures and patients with abundant choices, hospitals are using unconventional, even audacious, ways of connecting directly with the public.” She then reports that hospitals are using Twitter and transmissions from the operating room to communicate with the public on surgical results and YouTube to actually show surgery.  

This is seen by Ms. Belluck as a controversial approach to publicizing new procedures, to compete and attract patients and to stimulate contributions. In this day and age of increasing regulatory activity and heavy penalties for violations of HIPAA and state healthcare privacy and security rules, the Twitter practices should be subjected to careful scrutiny at the highest level by the governing bodies of hospitals.   The image of the hospital and its own sense of what are proper and acceptable marketing practices, the risks of legal or ethical violations from unwarranted communications, and the impact on publicity policies can be undermined by the uncontrolled actions of individuals.  The concept that the results of a complex surgical procedure can be meaningfully compressed into a rapid-fire, 140-character disclosure to the world can be somewhat perplexing.

The practice of using Twitter from the operating room to report on results is very risky and has serious implications for patient privacy. It may be a violation of existing laws or the general right of an individual to privacy.  It is always possible or even likely that the identity of a patient may become public, directly or indirectly, especially if the Twitter communication relates to a novel procedure. It is one thing to have a patient knowingly participate in publicity on YouTube and quite another to have someone send a Twitter message from the operating room while the patient is still recovering from anesthesia.

It is of equal concern that there is no control over the Twitter communications from the operating room. Anyone could make the transmission, which can be premature, totally erroneous and/or misleading.  It is a circumstance in some ways similar to the situation that judges are confronting from jurors who are sending Twitter or e-mail messages on the proceedings from the courtrooms of widely-publicized cases while the trial or jury deliberations are going on. Some judges are even prohibiting all electronic devices from being brought into the courtroom or jury deliberation room. In the case of the operating room there is the additional factor of the possibility that electronic transmissions from Twitter or e-mails may adversely affect or interfere with the normal operation of surrounding medical equipment.

The matter goes further. Will there be additional communications from the Tweeter or the hospital if the patient later develops complications or even dies? If the next patient who undergoes the same procedure does not fare well, will that be communicated through Twitter or other means to avoid misleading the public? How will the hospital control Twitter activity if it chooses to endeavor to do so? 

These questions and others should be properly considered at a high level in the hospital, with board oversight, in order to avoid or mitigate liability, maintain the hospital’s reputation for candor and transparency and avoid the adverse publicity of regulatory violations and penalties.  It is likely that the board should require that the hospital’s code of ethics address in greater detail how and when, if at all, electronic communications relating to patient procedures are communicated to the public and the nature of the patient consent that will be required.

[Installment 1]

The pressure on healthcare providers to convert to electronic medical records (EMR) as part of the overall HIT movement has increased dramatically in recent months. Promulgations from HHS and FTC, the federal stimulus package and HITECH, which recently heavily-amended HIPAA, create new challenges for healthcare providers.  

Over the next several months, my blog entries will discuss some of the threshold issues that face the manifold stakeholders in the hospital industry as they struggle to cope with the new and somewhat uneven landscape of HIT. The earlier entries will deal with the Boards and their responsibilities to their hospitals and other stakeholders with respect to HIT.

Boards of Directors and Trustees of profit and non-profit hospitals have been dealing for years with the ever-increasing costs of HIT for hospitals. Annually they are presented with a menu of costly budget items for investment in HIT. They have dutifully authorized and seen the inexorable growth of IT departments within their hospitals and have become almost inured and resigned to the inevitability of continued spiraling costs, often without any tangible results in the eyes of the Boards. Now they will be confronted by new and different costly demands respecting HIT in the face of an active controversy as to what will and should be the shape of future HIT initiatives.

The May 11, 2009 edition of The Boston Globe carried an article by Carolyn Y. Johnson, entitled “Digital Medical Records Push Exposes Potential Side Effects.” Its thrust was that, even with $19 billion to be spent by the stimulus package to support EMR investment and a real urgency for comprehensive HIT to cut costs and save lives, “a growing body of research illustrates the potential challenges – from getting doctors to use the safety enhancing features the systems offer, to the patchwork of privacy regulations in different states.” 

I would like to add to the challenges identified in Ms. Johnson’s article the need of each hospital to educate and to get the Board “on board” with the importance of HIT and undertaking pro-active initiatives in the institution. This Board effort is likely to be threatened by multiple complexities, including declining patient population, reduced reimbursement, heavy regulation, intense competition, dwindling donor contributions and heavy endowment losses for non-profit hospitals, a history of unclear returns from past substantial investments in HIT, competitive demands for capital dollars that promise quick tangible returns and many other factors. 

[To be continued in Installment 2]