Clinical IT Governance Update

I've written many posts about the importance of IT governance to set priorities, align stakeholders, and allocate budgets.

Today, I will meet with the Clinical IT Governance Committee to discuss the 5 major IS projects in the BIDMC Annual Operating Plan, brief them about the Meaningful Use Stage 2 NPRM, and discuss 2012 State HIE initiatives.

Here's an overview of what I'll say

*Electronic Medication Administration Records - at BIDMC, we wanted to eliminate all handwritten orders in every care setting, so we aggressively implemented CPOE before automating Medication Administration Records.   Now that we have 100% electronic ordering, we're implementing projects that close the loop - checking patients, medications, staff ID, and active orders when medications are given to the patient.   We've developed a scope, a timeline, and a workflow that embraces both fixed bedside devices and mobile technology to document when, where, and how medications are administered, reconciling orders and doses given.   We buy technology when it is mature and robust.   In this case, we'll need highly innovative, integrated technology supporting a unique workflow, so we're building it.

*Clinical Documentation - at BIDMC, our ambulatory documentation is entirely electronic.   In our monitored units, all flowsheets are electronic.  On our wards, progress notes are still written on paper.   In 2012, we're designing inpatient clinical documentation to align with the needs of our ICD10 project.  We'll use templates, macros, and free text input to support computer assisted coding, reducing the burden on clinicians and coders who need to pick the right code from 68,000 diagnosis and 87,000 procedure choices.  

*ICD10 - Although Secretary Sebelius has announced an intent to delay ICD10 enforcement dates, the project is such an enormous undertaking requiring policy change, workflow change and technology change that we're continuing full steam ahead.   We're executing a multi-phase project that includes current state documentation, a gap analysis, and a remediation plan.

*Personal Health Records - Patientsite, our PHR, is used by over 60,000 people every month.   Since its inception in 2000, Patientsite has not had a major upgrade.   This year, we're enhancing the look and feel, adding Open Notes (patients viewing all notes written about that), and creating a mobile friendly version.

*Standardized project management including a single intake process - among the many departments of BIDMC, different techniques are used for project charters, Gantt charts, issue logs, status reports, and project intake.  This year, we plan to create a single set of uniform project management artifacts that can be used by all business owners on IS related and other projects.

In addition to ICD-10, future stages of Meaningful Use Stage 2 will require multiple years of technology and policy work.   I'll present a summary of the challenges ahead based on the Stage 2 NPRM requirements .

Finally, in October of 2012, the Massachusetts Statewide HIE will go live and we'll use the infrastructure to enhance data sharing with payers, providers and patients.   At the same time we'll want to share more, compliance requirements will suggest further restrictions on data flows.   It will be a delicate balance.

I look forward to the meeting tomorrow.  Being a CIO means there's always new challenges and life will never be boring!

Provider Directory Strategies

The Office of the National Coordinator asked me to present the Massachusetts Provider Directory approach to the Provider Directory Community of Practice (CoP) on March 21.

Here's the powerpoint that I'll present tomorrow.

It highlights the decisions we had to make (Entity v. Individual, Central v. Federated, web API verses LDAP, etc)

Issue: Should we include organizations, individuals or both in the provider directory?
Answer: The directory should have a schema that enables lookup of entities (e.g., Organizations, Departments, State Agencies, Payer Organizations, Patient Health Record services) AND an individual's affiliation with an entity trusted by the HIE.  You can lookup John Halamka to discover that I'm affiliated with BIDMC, then lookup BIDMC to determine how to exchange data with my organization.

Issue: Should the Provider Directory be centralized or federated?
Answer:  The Provider Directory should be centralized at the State level, given lack of proven scalable approaches to federated provider directories standards and architecture.  However, Public Key Infrastructure can be federated based on the Direct DNS specification for certificate exchange.

Issue: How should we expose Provider Directory services to the Internet?
Answer: A SOAP-based web services API will support query/response, add/change,  and delete operations over the Internet.  An LDAP approach will support directory access for applications behind the MassHealth firewall.

Issue: How should we populate the provider directory?
Answer:  Commercial databases often lack timely updates.   In Massachusetts, we have several existing data sources to leverage including those used by payers for quality reporting, those used by provider organizations, and those used by the regional extension center.

Issue: How will we integrate this service into EHRs?
Answer: We will work with EHR vendors via a centralized program management office to procure software components that integrate provider directory and HIE transport services into the workflow of the EHR itself.  We will not force clinicians with certified EHRs to use a disconnected portal outside of their the EHR.

I look forward to speaking with the Provider Directory Community of Practice (CoP) to hear about approaches in other states and share lessons learned.

popHealth

While in Chicago last Thursday, I was asked how we validated our quality measures when we moved from chart abstraction to automated computation of PRQS, Meaningful Use, Pioneer ACO, and Alternative Quality Contract measures via the Massachusetts eHealth Collaborative Quality Data Center (QDC).   This is an important question because Meaningful Use Stage 2 enables easy use of modular components outside the EHR such that data can be captured in the EHR and sent to a cloud based analytics engine via standards such as CCD/C32 for content and Direct for transport.

Initially we did spot checks to validate the integrity of the Continuity of Care Document data flows from electronic health records to the normalized QDC schema.

When Mitre Corporation offered to test their popHealth tool against 2 million BIDMC patient records to validate the Meaningful Use quality measures computed by our QDC, we jumped at the opportunity.

First, we ensured appropriate business associate agreements were in place to protect the privacy of patient data.   Next, we required all work to be done on site in the Quality Data Center to protect the security and integrity of clinical summary data.

Mitre ran the tool against 2 million BIDMC Continuity of Care Documents and compared the results to the reports generated by the QDC.

The results were enlightening.

The computations aligned well for most quality measures, justifying our early manual validation.

However, Mitre discovered ambiguities in the CCD specification itself that led to some differences in the calculations.     This was despite our use of this CCD implementation guide  which provides even greater specificity than the HL7 standard.

For example, the CCD does not specify an allergy vocabulary.   At BIDMC we use First Data Bank to codify medication allergies.   PopHealth expects RxNorm, the vocabulary standard required for exchanging medication history.   Even the Stage 2 NPRM does not specify an allergy vocabulary and we recognized the need to enhance the Stage 2 to include RxNorm for medication allergies (Penicillin VK),  NDF-RT for categories of medication allergies (all Penicillins and Cephalosporins) and SNOMED-CT for non-medication allergies (food and environmental agents).

I'll post other pertinent findings from the Mitre analysis after next week's debrief meeting.

Mitre demonstrated their work at HIMSS in the interoperability showcase as illustrated in the photograph above.

BIDMC and MAeHC were proud to participate in this event, which we hope provided lessons learned for other provider, payer, and government stakeholders wanting to compute quality measures in the cloud using popHealth.

The Chicago Healthcare Information Exchange

On Thursday, I met with the Chief Medical Officers working group of the Metro Chicago Healthcare Council to discuss Healthcare Information Exchange strategy in a world rapidly moving toward accountable care organizations, patient centered medical homes, and global capitation.

Chicago has created a consolidated summary record for patients using technologies from Microsoft (aggregation and analytics) and HealthUnity (master patient index services).   CSC provides Systems Integration and Program Management.

Importantly, they've built governance, trust, a policy framework, engagement, and commitment from stakeholders in the greater Chicago metro area.

Their architecture is a bit different from the Massachusetts approach and it will be very interesting to compare lessons learned over the next year.   They are receiving HL7 feeds from participating hospitals, matching identical patient records together, and  aggregating the data using the kind of data-atomic attribute-value pairs suggested by the President's Council of Advisors on Science and Technology Healthcare IT report.

The centralized/consolidated summary record can then be accessed by authorized clinical users such as primary care physicians, hospitalists, and emergency departments.

The Chicago HIE will also offer secure messaging to support the kinds of push use cases we've discussed in Massachusetts i.e.

Referral/Consult
Admission notification
Post-encounter summary
Discharge Summary/Instructions
Lab Order/Results
Public health (SS, Imm., ELR)

They've worked hard to engage the Chief Medical Officers of the region's hospitals and to create patient demand for HIE services via consumer education.

A great group of people and definitely an HIE to watch!

Our Cancer Journey Week 13

It's week 13 since diagnosis and Kathy's will receive the 7th cycle of chemotherapy tomorrow. (3rd cycle of Taxol)

Kathy's hematocrit continues to trend downward (from 42 at diagnosis to 29 last week), her nails have turned black/brittle, and her eyelashes have disappeared, but the worst is over.   She's feeling fine, the tumor is undetectable, and she's tolerating Taxol very well.

Taxol typically does not cause a drop in hematocrit, so why the gradual downward trend over the past few weeks?  

Kathy received Neulasta as part of her 4 cycles of Adriamycin/Cytoxan.  Neulasta is a colony-stimulating factor  that encourages hemopoietic stem cells to produce white blood cells, avoiding the neutropenia and susceptibility to infection that was previously a serious problem with chemotherapy.   One issue with Neulasta is that it may encourage so many stem cells to differentiate into white blood cells that fewer red blood cells are produced, leading to a mild anemia.    Over the next few weeks, her bone marrow should return to normal and her hematocrit should rise.   The only consequence of a low hematocrit for Kathy has waning energy mid-day that necessitates a 15 minute nap.   Otherwise, her activities of daily living (including packing the house for our upcoming move) remain unchanged.

Her hair is beginning to grow back.  She wears head wraps for warmth around the house and while sleeping.   When we go out to dinner, she wears a wig (interestedly termed a "hair protheses" for reimbursement purposes) that is so attractive, her friends and family have grown accustomed to the style.  When her hair grows back, she'll likely get the same cut.

One unexpected consequence of having breast cancer is that Kathy has stopped eating Tofu and soy products that are estrogenic, given that her tumor is Estrogen Receptor positive and is "fueled" by estrogen.   Minimizing estrogenic foods seems reasonable.   She continues to get her protein from vegetable sources, but has also added eggs - remaining vegetarian but not vegan.    Given that we'll soon have a coop of chickens on our new farm property, having at least one person in the family who eats eggs makes sense.

Thus, her trajectory is positive, her clinicians are optimistic, and we're pressing forward with life, balancing the needs of our personal lives, family lives, and work lives.   We're in control, not the cancer.

Will Payers be the Business Intelligence Services of the Future?

What is a payer/insurer?

Typically, payer organizations collect premiums from employers and individuals, process claims, and engage in a variety of case management/disease management activities to encourage the appropriate use of medical resources.   If they collect more premiums than claims paid,  their medical loss ratio is less than 100% and they earn a profit.

In a world of accountable care organizations and healthcare reform, new reimbursement methods will include global payments to providers, which implies the risk of loss will shift from the payer to hospitals and clinicians.   Payers will no longer need their large claims processing staff, nor create complex actuarial models.   They'll become very different organizations.

How different?

My prediction is that payers will become the health information exchange and analytics organizations that help hospitals and clinicians manage risk in a world of capitation.

I've said before that ACO=HIE+Analytics.

The payers are already making strategic acquisitions to build these new business models

Aetna acquired Medicity to gain expertise in healthcare information exchange.  Aetna had already acquired Active Health to gain access to its CareEngine analytics platform.

United acquired Axolotol to gain expertise in healthcare information .   United already had a comprehensive suite of analytic capabilities via its Ingenix subsidiary.   United rebranded the combination of HIE plus analytics as OptumInsight

Three of the nation's largest Blue Cross plans acquired Navinet for its real-time communication network that links physicians, hospitals, and health insurers.

Humana acquired AnvitaHealth for its real time analytics and decision support capabilities.

The next several years will be interesting to watch as the country gains experience from Pioneer ACOs (7 of the 32 are in New England and 5 in Massachusetts).

Watch the payers carefully.   As they acquire more HIE and Analytics businesses, I believe you'll see a shift from claims processing to wellness management and cloud-based provider services.

Surescripts Clinical Data Exchange

Yesterday, Surescripts announced a national approach to sharing clinical summaries and public health data via its Clinical Interoperability Network:

"WALGREENS AND SURESCRIPTS IMPROVE COORDINATION OF CARE BY ELECTRONICALLY DELIVERING IMMUNIZATION AND PATIENT SUMMARY RECORDS TO PRIMARY CARE PROVIDERS

Surescripts Network Accelerates Interoperability Between Physicians, Pharmacists and Take Care Health Providers by Making It Easier to Supply Information Often Missing During Patient Visits"

According to the release, the Surescripts Clinical Interoperability Network supports all federal and state policies and standards for health information exchange, including privacy and security standards (such as HIPAA and state law), technology interoperability standards (such as Direct) and various message types.   The service is being rolled out to 500 hospital labs to connect to public health under a grant from the Centers for Disease Control and Prevention, and is also being used by physicians for physician-to-physician communication and care coordination.

I asked for further details about the transport, content, and vocabulary standards they plan to use.   Here's their response:

"Currently, we’re delivering PDFs over a REST-based protocol or Direct - whatever manner we have connectivity. We’re also faxing and mailing while vendors work on their connectivity modules. We’re in the process of determining which profile in terms of CCD/CDA will be the easiest for most vendors to receive. We’re targeting implementation later this summer.

When we start reporting to state registries, we’ll be sending the records in the most modern standard the states are ready to implement. We hope to see the majority of registries stepped up to HL7 2.5.1, Release 1.3 and August 2011 CVX code sets. But if a state isn’t quite ready, we’ll connect to what they have and upgrade the transport/content when they’re ready."

Massachusetts and other HIEs are implementing Direct for the summary and public health transactions.   With State HIE and national Healthcare Information Service Providers like Surescripts, we'll connect every payer, provider, and patient in time for Meaningful Use Stage 2 requirements.

Leadership lessons learned from James T. Kirk

Recently, Alex Knapp wrote a brilliant article entitled "Five Leadership Lessons From James T. Kirk" in Forbes.  For those of us who have watched every episode and can recite every line of dialog from memory, these 5 lessons are a great distillation of the series.

On April 29, I'm speaking at the American College of Physician Executives about Leading Innovation.   These same 5 points are a great framework for that event.

1. Never Stop Learning

30 years ago I befriended one of the great thinkers from the vacuum tube era.  I showed him the miracle of a modern integrated circuit - one of his most complex tube designs fit into a dime sized chip.   He told me that he was not interested because he could not comprehend the silicon-based technology.

As I've told my staff, if I ever become an impediment to innovation because I'm stuck in a technology era of the past, it's time for me to move on.

2. Have Advisors With Different Worldviews

I try very hard not be dogmatic.   I use open source and proprietary software.  I use Macs and Windows devices.   I run Java and .NET applications.    Surrounding yourself with with smart people (smarter than yourself), who may have contrary opinions, improves your own decision making .   I've always felt that "B" leaders surround themselves with "C" employees who simply reinforce status quo leadership thinking.   "A" leaders surround themselves with "A" employees who constantly challenge the status quo.

3. Be Part Of The Away Team

It's truly hard for healthcare CIOs to understand the needs of their customers.  It helps to be a clinician or partner with a CMIO.   The best way to truly understand the strengths and weaknesses of your IT organization is to use the applications you purchase or create, "Eating your own dog food".  This requires leaving the comfort of your office and spending your day in the field.   I spend less than an hour a day sitting at my desk - my office is wherever my laptop and iPhone reside.

4. Play Poker, Not Chess

It's important to take educated risks.   I bet on the web for healthcare in 1996.   Transforming organizations with healthcare information exchange in support evolving accountable care organizations, patient centered medical homes, and global payment is the right thing to do.

5. Blow up the Enterprise

Every organization has peaks and valleys.    Goliaths fall and Davids rise.   In my own career, I've experienced the perfect storm of innovation that results in revolutionary rather than evolutionary change.   Sometimes its clear that an organization should exit certain businesses, downsize and divest to ready itself for the next phase of growth.  Being the best "buggy whip" manufacturer is not a sustainable strategy.

Thanks Alex for a great article.   In the early days of Meaningful Use work a graphic appeared labeling Dr. David Blumenthal as Kirk, Dr. John Glaser as Spock and me as Bones (thanks to Brian Ahier for this).  It's an honor to be considered part of that crew!

Cool Technology of the Week

As readers of my blog may know, I'm a consulting mycologist, treating over 600 patients who ingest toxic mushrooms every year.

Now there's a novel way to use mushrooms to create custom packing materials.

Imagine choosing your packaging based on its absorptive, cushioning, and strength criteria, then just growing the package you need.

It seems like science fiction but a  New York company is doing this.

Ecovative Design  "grows"  packaging components for Dell Inc. servers and Crate and Barrel furniture, among others.

Mushroom-based packaging you can custom grow for each customer.  That's cool!

Our Cancer Journey Week 12

Last week Kathy started Taxol.   She's tolerated it well and did not have any of the fatigue, appetite changes, or anemia that came with Adriamycin/Cytoxan.

The short term challenge with Taxol is not the medication, but the solvent (called Cremophor) used to create an injectable solution.   Solvent-related hypersensitivity reactions are relatively common, so Kathy's pre-chemotherapy medications included:

*Dexamethasone 20 mg IV 30 minutes prior to chemotherapy.
*Diphenhydramine (Benadryl) 25-50 mg IV 30 - 60 minutes prior to chemotherapy. 50 mg for first dose. May reduce dose to 25 mg on subsequent doses if tolerated
*Famotidine (Pepcid) 20 mg IV infuse over 15 minutes. 30 minutes prior to chemotherapy.

She had no reaction of any kind, so tomorrow's Taxol dose will include 25mg of Diphenhydramine, yielding less Benadryl-induced sleepiness.

Her usual pattern of chemotherapy, one good day, one moderate day, two bad days, then back to good days has been replaced with chemotherapy followed by good, good, and good days.   Since we're preparing our Wellesley house for sale (goes on the market April 1) as part of our move to a farm property in Sherborn, Massachusetts, she needs all the energy she can get.   Our nights and weekends are filled with painting, cleaning, and boxing.

Her mood is good, our hope for cure is strong, and our optimism for an American Gothic future keeps us going every day.

Early NPRM Questions

As HIT stakeholders review the Meaningful Use Stage 2 NPRMs in detail, questions about the intent of the language are circulating throughout the industry.

The two most common questions I've heard are related to image display (is it viewing via an EHR, through an EHR, DICOM required etc.) and Healthcare Information Exchange transport standards.

Here's a very thoughtful blog post from David Clunie that summarizes the issues of image viewing in the Stage 2 NPRMs.

Healthcare Information Exchange transport is now required per this provision in the CMS NPRM:

"The EP, eligible hospital, or CAH that transitions or refers their patient to another setting of care or provider of care electronically transmits a summary of care record using certified EHR technology to a recipient with no organizational affiliation and using a different Certified EHR Technology vendor than the sender for more than 10 percent of transitions of care and referrals."

Many are asking what standards and what architecture will be required, since the Standards and Certification NPRM offers a few options.

The HITSC NwHIN Power Team will continue to make recommendations to ONC, but here's my suggestion:

1.  For Push transactions, use SMTP/SMIME between Health Information Services Providers (HISPs) with the option of SOAP for "on ramps" and "off ramps" to EHRs (and PHRs).   For point to point transport between EHRs without a HISP use SOAP.
2.  For Pull transactions, use SOAP per a rewritten NwHIN Exchange implementation guide (eliminate the layering of specifications that refer to standards within standards within standards).   For point to point Pull, consider the kind of simplified Exchange-like SOAP transaction we've implemented between BIDMC and Atrius that does not require a master patient index, record locator service, or  document registry.
3.  If a RESTful implementation guide becomes available for Push or Pull,  consider it.

Over the next 60 days, HITPC and HITSC experts will examine all the ambiguities in both NPRMs.   I'm confident that with public comment and expert review, CMS and ONC will polish the NPRMs into Final Rules that are pure poetry.

The Bookmarked CMS and ONC rules

Thanks for Robin Raiford of the Advisory Board for these resources

She's created a poster comparing Meaningful Use Stage 1 to Stage 2 as currently proposed. This is a 48” x 66” wall poster if you want to render it at a commercial printing service, or zoom to 75% to see it on your screen.

Here's the bookmarked CMS Notice of Proposed Rule Making Stage 2 EHR Incentive Program

Here's the bookmarked ONC Notice of Proposed Rule Making Standards and Certification Criteria

I hope you find these useful.

Data Segmentation

In my recent post about consent policy for HIEs, I reflected that opt in consent to disclose at each institution generating data is patient centric and implementable.    One challenge with trying to implement a special "consent to view data at each encounter" workflow for HIV is the difficulty of segmenting the medical record to isolate HIV data.   Here's a sample record that illustrates the problem:

Medications
1.  Tylenol
2.  Sudafed
3.  AZT
4.  Bactrim

Problem List
1.  Headache
2.  Sinus Infection
3.  HIV positive
4.  UTI

Letter
I hope you and your partner had a great weekend in Provincetown and that the thrush has improved with the mouthwash sample I gave you

We can create filters for medications that are related to HIV treatment such as AZT.   However, some medications are ambiguous.  Is the Bactrim being used as prophylaxis against an HIV-related respiratory illness or something else?   We see from the problem list that the patient has a UTI, so likely the Bactrim is not HIV related and should be listed as a non-HIV medication.   The Letter does not include the words HIV, AIDS, or any medication name.  However, it lists Provincetown, which has the highest concentration of same-sex couple households of any zip code in the United States.   It mentions thrush which occurs in immunocompromised patients.   The Letter could imply HIV positivity.

ONC has launched the data segmentation initiative with the goal of tagging portions of the medical record with enough metadata to separate data into categories that better allow control of information exchange in accordance with patient privacy preferences.

For example, a sample medical record might contain

*Standard care information - problem list, medications, allergies, labs, notes, and immunizations that are not specific to the categories listed below
*Mental Health
*Sexually transmitted diseases
*Substance abuse
*Domestic Violence history
*HIV status

A person's preference may be to share Standard care information with any care provider, but only share STDs and HIV status with a primary care provider, and only share mental health, substance abuse, and domestic violence history with a mental health provider.

The current state of EHRs and HIEs is that data segmentation is very hard because of ambiguity in categorizing data elements, per the example I gave above.   With the ONC data segmentation initiative, implementers will receive guidance so that providers and automated decision support tools can tag data as it is entered, enabling segmentation.

Once data is segmented, we can then record patient privacy preferences for each segment.   How do we do that?

Mitre has created an open source patient consent policy management tool called Kairon Consents that is available for use now.

It enables the patient to designate who they want to share data with (e.g., by name, institution, referral relationship to PCP, etc.) and what data they wish to share (e.g. allergies) and for what purposes (treatment, research, etc.).

When a request for data is received, there is a policy reasoner that examines the request and presents the record holder with the relevant patient policies for that request (e.g., "The request is from an allowed physician but only allergy data is allowed to be communicated".

Clearly this is just the beginning of national-scale consent management tool development, but it is a reasonable platform for initial capabilities and can be scaled for institutional use.

In 2008, I proposed a "Consent Assertion Markup Language" (CAML).   With the Data Segmentation initiative and Kairon Consents, a mechanism for gathering and enforcing more granular patient privacy preferences will soon become a reality.

Cool Technology of the Week

 Although I did not attend HIMSS this year because of my wife's chemotherapy timing, I did send several of my staff.    I asked them to summarize the cool technologies, most frequently heard buzzwords, and the overall conference trends.

Just as "Plastics" was the catchword from The Graduate, this year's HIMSS Conference theme was a combination "Cloud-based EHRs" and "HIE".

Cloud-based EHRs which follow the model pioneered by AthenaHeath for minimal hardware and minimal configuration in the office now include a number of new entrants including CareCloud and iPatientCare.   It will be interesting to see how these companies address the issue of integration with hardware in the office, the desire for customization, and the need for unique interfacing/integration with third party products.

HIE companies are appearing on the landscape faster than ever before.   Companies such as Orion, Intersystems, RelayHealth, United/OptumInsight, Aenta/Medicity, DBmotion, Axway, and Certify are increasingly visible in the industry.

With the Stage 2 NPRMs and increased HIMSS emphasis on interoperability, the industry is fast moving toward the Learning Healthcare System we've all envisioned.   That's cool!

Our Cancer Journey - Week 11

Tomorrow, Kathy starts her next round of chemotherapy - 12 weeks of Taxol administered every Friday at noon.

As with Adriamycin/Cytoxan (AC), we fear the unknown - what symptoms will it bring, how will it affect day to day and long term physical well being (since Taxol causes numbness that can be permanent).      Kathy reacted very well to AC so we're hopeful that she'll tolerate Taxol.

The process of treating breast cancer - 20 weeks of chemotherapy followed by surgery and radiation, can be wearing.   Of course, we are focused on optimizing the therapy, but at the same time we've needed a long term goal that brings joy and passion for the future, minimizing the day to day challenges of treatment.

Together we've been looking for a farm property, discussing the plans/projects ahead, and preparing for our next stage of life.   We moved to Massachusetts 16 years ago and raised our daughter in a family neighborhood, nearby to great public schools and a local library.   We believe that we have at least 2 more phases in our lives.  Phase 1 - 15 years as empty nesters at the peak of our mental and physical capabilities, ensuring the health of our parents, and supporting our daughter's early career.   Phase 2 - 15 years as retirees (and possible grandparents), continuing to write, lecture, and consult but without a "9 to 5" office schedule.

In Phase 1,  we're eager to take on the physical labor and mental creativity needed to expand our production of organic vegetables and raise a few chickens/alpaca/llama/goats/sheep.

The quest for a farm property has provided us with enough positive activity to energize our nights and weekends.

Plans and projects for the future are important to sustain optimism, but they're also essential to grow and develop our 30+ year relationship.

As noted in the recent New York Times article Love and Death, having plans and projects for the future is what sustains love beyond the physical attraction, infatuation, and novelty of the initial relationship.

Our farm vision has provided that.   To keep patients and families psychologically healthy during cancer treatment it's really important to focus on life after cancer and not let the cancer rule your life.    As you'll hear in the new few weeks, we found our farm and now we're planning our move there by May, ensuring that the end of chemotherapy marks the beginning of our new life chapter together.

The February HIT Standards Committee Meeting

The February meeting of the HIT Standards Committee included an in depth discussion of the Stage 2 Standards and Certification NPRM, updates from the projects in our 2012 HITSC work plan, and an overview of HITPC plans for 2012.   It was one of the highest energy, most optimistic meetings we've had.

We began the meeting with a review of the Standards and Certification NPRM by Steve Posnack and Doug Fridsma.  As I noted in my recent post about the NPRM, most of the HITSC "Summer Camp" recommendations were accepted.   Highlights from their presentation:

*In Stage 2, Certified Electronic Health Record Technology (CEHRT) will be "just enough" to support the functions documented during attestation.     In Stage 1, certified technology  was required for menu set items that were not part of an organization's attestation i.e. even if you did not plan to submit syndromic surveillance data, you needed to buy that technology anyway.  
*Every eligible professional/eligible hospital/critical access hospital (EP/EH/CAH)  must have a "base EHR"  that includes the ability to capture demographic data/patient history/problem lists, provide decision support, support provider order entry, record data needed to report quality, exchange electronic information, and protect confidentiality
*In addition to this base EHR, every EP/EH/CAH should have the EHR technology with capabilities for the MU core and menu set objectives they seek to achieve.  These can be a collection of modules or a complete EHR.
*Clinical Quality certification includes the ability to capture, calculate, and report clinical quality measures.   It's completely fine to use certified EHR technology to capture the data, then export it to another certified technology for calculation and reporting.   This is what BIDMC does today and to achieve it we had to do self-certification.   Now, anyone can use this approach, assembling certified components from vendors.
*The Standards specified in the 2014 Criteria include
  Content - Consolidated CDA for summaries, NCPDP for eRx, HL7 2.5.1 for public health
  Vocabulary - CVX for immunizations, SNOMED-CT for problem lists, ICD10-CM for diagnoses, LOINC for labs, RxNorm for meds, OMB, ISO639-1 for spoken language, CDA for cancer submissions 
  Transport - Direct Specifications and NwHIN Exchange
  Security - FIPS for encryption, NTP for time
*The MU Stage 2 Menu set includes  several functions with evolving standards such as Imaging display in EHRs, transmission to clinical registries, cancer case information, and family health history.  That's why they are menu set

Initial reactions from the HIT Standards Committee included

   TLS should be listed as an acceptable transmission standard for data exchange with patients
   Organizations with internal pharmacies should be allowed to use HL7 for eRx of discharge meds
   Quality reporting XML needs additional work on content, vocabularies, data model
   Imaging in MU should be clarified (view/access/transmit in an EHR or via an EHR)
   Allergy terminology should be included in the Standards Final Rule - RxNorm for meds, NDF-RT for drug classes, SNOMED-CT for non-meds
   Our focus should be the adoption of SNOMED-CT as the clinician facing vocabulary, not ICD-10
   XDR as a transport standard should be optional, as was defined in the Direct Project
   Patient Portals - Direct should be used with patients i.e. EHRs should be able to "cc the patient"
 
Next, Betsy Humphreys presented the Vocabulary and Code Sets update  focusing on SNOMED0CT, LOINC and RxNorm tools.  A new API to access cloud hosted SNOMED-CT resources from NLM will be available in March 2012.

Next, Dixie Baker presented the NwHIN Power Team review of NwHIN Exchange implementers comments.   Major themes included
*Complexity seems to be related to the specifications themselves which include optionality and layers of references to other specifications (indirection).  There was no specific complaint about SOAP or the need for REST
*No current Exchange implementation is being used for large scale production except the SSA's disability determination project
*The Exchange Patient Discovery architecdture lacks scalability

Next, Paul Tang presented the 2012 HITPC work plan.  He reviewed the 5 year vision with 2011being capture of structured data, 2013 being HIE/Care Coordination, and  2015 being outcomes measurement and improvement.   The 2012 work plan includes
*Q1 discussion of MU Stage 3 principles, review of the MU Stage 2 NPRM, governance, next generation quality measures
*Q2  Quality measure lifecycle, patent generated data, information exchange, EHR safety
*Q3  Stage 3 draft recommendations, long term and post-acute care, governance NPRM
*Q4   Reconcile MU3 Recs with Stage 2 Final rule,  HITSC feedback on stage 3 , Consumer eHealth, Strategic plan revisions

Next, Jim Walker presented the work plan for the Clinical Quality Workgroup.

Finally, Doug Fridsma presented the S&I Framework update identifying the levels of support currently available - Self Service, Limited Service, Strategic Support and Full support.  S&I portfolio of new work includes longitudinal coordination of care, electronic submission of medical documentation signatures and content, query health, and data segmentation for privacy.

Thus, the HIT Standards Committee is on track for our 2012 work plan, the first quarter of which includes 4 projects

a.   NPRM review
b.  Quality measurement
c.  NwHIN Exchange refinement
d.  Value sets/vocabulary mapping

At the next meeting, we'll review our collective comments on the NPRM (gathered from each of our workgroups) and ensure we're on the right trajectory for our next quarter's work on standards governance, Query Health, Radiology Standards and NwHIN supporting components (Provider Directories, PKI).

S&I Framework Implementation Guides

Now that the Stage 2 Standards and Certification NPRM has been released, many people are asking me for the detailed implementation guides that will support it.

The S&I Framework website is being enhanced to make their work products easier to find.

In the meantime, here are some of the major S&I Framework resources

Final DNS/LDAP Hybrid Specification for Direct Project Certificate Discovery

Final Data Model for Query/Response to the Provider Directory for electronic service information (implementation guidance forthcoming):

Latest Laboratory Reporting Implementation Guide (will be balloted a second time at HL7 this spring)

Final Consolidated CDA Implementation Guide

We're getting closer to our goal of one stop shopping - a single website with all the content, vocabulary, and transport standards needed for certification.

The Stage 2 Standards and Certification NPRM

On Friday, ONC released the Standards and Certification NPRM, the companion to the the CMS Meaningful Use Stage 2 NPRM.

Here's a bookmarked PDF  - thanks to Tony Panjamapirom of the Advisory Board.

In my view, the NPRM is a work of art, reflecting the work of the HIT Standards Committee, the S&I Framework, and  the multi-stakeholder consensus that fewer, more complete standards with less optionality will lead to greater interoperability.

I've always thought of healthcare standards as having three components -  content, vocabulary, and transport.

For content, the NPRM specifies HL7 2.51 for lab results, syndromic surveillance, reportable lab, and immunizations (HL7 2.31 is not longer an option).   For summary transactions, the Consolidated CDA is the only recommended standard.   (CCR and CCD/C32 are no longer specified).    NCPDP is specified as standard for the exchange of prescription information between entities, including for discharge medications.

For vocabularies, the NPRM specifies a single vocabulary per domain, just as HITSC recommended
Lab - LOINC
Medications - RXnorm
Problem Lists - SNOMED-CT
Discharge Diagnosis - ICD10-CM
Immunizations - CVX
Demographics preferred language - ISO 639-1
Demographics preliminary cause of death ICD10-CM

For transport, two standards are available, consistent with the Direct Project - SMTP/SMIME and SOAP.   A RESTful option is not specified, but ONC recognizes that a RESTful implementation guide may be available in the future.

The 2014 edition of the Standards and Certification NPRM eliminates the "OR", since this standard OR that standard implies that vendors need to support both, creating an "AND" for implementers.  

The ONC NPRM is clear, unambiguous, forward looking and reasonable.   Congrats to the team who wrote it.

A First Look at Meaningful Use Stage 2

The Meaningful Use Stage 2 Notice of Proposed Rulemaking was released today at 4:15pm.  It represents the work of hundreds of people from every healthcare stakeholder group.   I'll summarize all 455 pages this weekend and give two webinars next week (Greater New York Hospital Association and a special session for the Harvard School of Public Health).  

For now, I recommend you read this summary on pages 156-163 to understand that EPs must meet or qualify for an exclusion to 17 core objectives and 3 of 5 menu objectives.   Also that eligible hospitals and Critical Access Hospitals must meet or qualify for an exclusion to 16 core objectives and 2 of 4 menu objectives.

Other key points from the executive summary:

*For EPs, we propose a set of clinical quality measures beginning in 2014 that align with existing quality programs such as measures used for the Physician Quality Reporting System (PQRS), CMS Shared Savings Program, and National Council for Quality Assurance (NCQA) for medical home accreditation, as well as those proposed under Children's Health Insurance Program Reauthorization Act CMS-0044-P 18 (CHIPRA) and under ACA Section 2701.

*For eligible hospitals and CAHs, the set of CQMs we propose beginning in 2014 would align with the Hospital Inpatient Quality Reporting (HIQR) and the Joint Commission's hospital quality measures.

*This proposed rule also outlines a process by which EPs, eligible hospitals, and CAHs would submit CQM data electronically, reducing the associated burden of reporting on quality measures for providers. We are soliciting public feedback on several mechanisms for electronic CQM reporting, including aggregate-level electronic reporting group reporting options; and through existing quality reporting systems. Within these mechanisms of reporting, we outline different approaches to CQM reporting that would require EPs to report 12 CQMs and eligible hospitals and CAHs to report 24 CQMs in total.

*Stage 2 meaningful use requirements include rigorous expectations for health information exchange including: more demanding requirements for e-prescribing; incorporating structured laboratory results; and the expectation that providers will electronically transmit patient care summaries to support transitions in care across unaffiliated providers, settings and EHR systems.

To understand the themes underlying Meaningful Use Stage 2, here's a great blog post from Health Affairs.

Finally, here's a powerpoint summary you can reuse for your own presentations - no attribution needed.  I've compared each criteria to its Stage 1 equivalent.

Our Cancer Journey (Week 10)

Kathy is now finished with the hardest part of her chemotherapy regimen, Adriamycin/Cytoxan.   Next week, she begins Taxol every week for the next 12 weeks.    Taxol is typically far less fatiguing than AC.    It does have a problem that it is suspended in an solvent that can cause allergic reactions.   Her regimen will include supportive doses of diphenhydramine (benadryl) and dexamethasone (a steroid).

At last week's checkup, Kathy's oncologist could no longer locate the tumor.

Her breast surgeon will order an MRI at the completion of the Taxol cycles and if the tumor is undetectable, Kathy may be able to have to breast conserving surgery rather than a complete mastectomy.

On Taxol, her hair will begin to grow back and her energy is likely to rebound.   However, she is quite concerned about one side effect - a neuropathy causing numbness in her hands.    As an artist, she depends on a keen sense of touch to create her work.

She will no longer need Neulasta (a bone marrow stimulant).   She welcome the fact that Neulasta protected her from neutropenic nadirs/infections but really did not like the bone pain/total body aches that it caused.

So the journey continues and we feel that we've turned the corner.   It's too early to see the light at the end of the tunnel, but at least the tunnel will be easier to traverse for he next 12 weeks.

Lessons Learned from China

On Sunday I returned from a week in Shanghai and Hangzhou.   A remarkable trip that included daily meetings with government, academic, and clinical leaders.   What did I learn?

In China, about 5% of the GDP is spent on healthcare per year compared to 16% in the US.    Although there is wide variation in lifespan and other population health measures between rural and urban settings, there are few interesting observations about Chinese healthcare

*It's a single payer, publicly funded system that provides universal healthcare via a 14% payroll tax.
*There is a single national set of regulations and policies applied to all hospitals, clinics, and doctors
*There is a single set of national privacy laws
*Immunization is mandatory for the entire population
*There's a single national healthcare identifier

EHRs are widely used in China, however they are optimized for episodes of care, using templates for capture of selected data elements specific to a disease i.e. hypertension, hepatitis, diabetes.    The volume of patients is overwhelming - in one hospital I visited (Huashan), the  dermatology clinic sees 4000 patients per day.    The Chinese EHR enables clinics to document the basics of a problem specific encounter, facilitating extremely fast throughput.   The downside of this is that there is not a longitudinal problem list, medication reconciliation, or coordination of care to avoid repeat testing.

Health Information Exchanges are beginning and in Shanghai and there's a pilot in place which enables data sharing among the public hospitals.   The Chinese have designed an architecture to support HIE in cities, provinces, and across the country.   The idea is similar to the US NwHIN - a network of networks that shares detailed data on a local level and summary data on a national level.

The Standards for HIE are in the early stage and I have shared the US approach to the Consolidated CDA.   The Chinese believe that using building blocks of XML to specify aspects of the record for transition of care is exactly what they need.

I travel the world and over the past year I've worked on aspects of HIE in Japan, Scotland, New Zealand, Europe, and China.    The problems are the same all over - capturing the data, protecting privacy, creating standards-based summaries, embracing vocabularies, and providing decision support.   It's encouraging to see such progress.  In my lifetime, I believe we will achieve a level of healthcare data capture and sharing that enables us to improve healthcare quality, safety, and efficiency throughout the world.  We'll solve these problems, so that the next generation will reap the benefits.

HIE Consent Policy

I was recently asked how consent policy can evolve in Massachusetts to balance patient privacy preferences and the need to coordinate care/optimize population health.    Here's the letter I wrote to stakeholders about it:

"My name is John D. Halamka MD and I serve as chief information officer of Beth Israel Deaconess Medical Center, co-chair of the Massachusetts HIT/HIE Advisory Committee, and co-chair of the  HIT Standards Committee.

In my role as a CIO and clinician, I have been passionate about the need to electronically coordinate care to improve quality, safety, and efficiency.

My wife was recently diagnosed with Breast Cancer and her treatment has relied on the secure exchange of healthcare records with her consent.

The consent model that has worked best throughout the Commonwealth is 'Opt in consent to disclose at each institution'.    This means that no data is exchanged between organizations until the patient consents to the release of information from the sending institution (the place where the data was generated).   This consent stays in force until a patient revokes it.  

A separate consent to view the data at the receiving institution is not needed.   There is no need to re-consent the patient at each episode of care.

We've implemented this model in the New England Healthcare Exchange Network (NEHEN), in the Department of Public Health immunization registry, and in the design of the statewide healthcare data exchange that the MassHealth is building.

Opt in to disclose is straightforward to implement and support.  It's easy to enforce and audit.

The one complexity to this approach is the data sharing of records containing HIV information.    Current and proposed Massachusetts regulations require opt in consent to view at each episode of care in addition to opt in consent to disclose.

Consenting the patient at each release of information is challenging to implement, difficult to audit, and likely impossible to enforce.   Security experts agree that easy to implement, easy to audit, enforceable approaches are much more secure than complex, challenging and cumbersome approaches.

I believe that Massachusetts stakeholders will support opt in consent to disclose at each institution as the single best approach for the release of all healthcare data.   Implementing this uniformly across the Commonwealth will ensure respect for patient privacy is maintained, care delivery organizations can support healthcare data exchange processes, and IT departments can implement the necessary applications.

As a CIO, physician, and husband of a cancer patient, I highly recommend we consider this simplification of current regulation and legislation.

Sincerely,

John D. Halamka MD"

Privacy protection will always be a journey, but we need to start somewhere and I hope my comments above seem reasonable.

Cool Technology of the Week

I've recently been asked how healthcare information exchange can simplify compliance processes such as the delivery of electronic summaries, instead of thousands of sheets of paper, to CMS in support of audits.

I've described the ONC Standards and Interoperability Framework (S&I) process several times previously in my blog.  S&I convenes stakeholders to assemble new implementation guides and do technical work to polish existing standards.  The HIT Standards Committee makes recommendations and evaluates standards implementation, but does not create implementation guides.

The S&I Framework Electronic Submission of Medical Documentation (ESMD) project supports the CMS vision for automating audit processes.

The S&I ESMD workgroup continues to work on the implementation guides which support the exchange of the relevant data from hospitalizations that would replace the paper-based audits of today.   I'm guessing they will choose the Consolidated CDA (CCDA) standard that was developed by consensus for transitions of care.

A single, template-based standard for communication of clinical details to clinicians and a replacement for paper-based CMS auditing processes.   ESMD and CCDA are definitely cool!

Our Cancer Journey - Week 9

My travel in China was timed for Kathy's good days, the end of one chemotherapy cycle and the beginning of the next.   She's had a busy week, with a visit to her surgeon (check in after 6 weeks of chemotherapy), her last cycle of Adriamycin/Cytoxan, and continuing our farm search as new properties begin coming onto the market in the Spring.

As I mentioned last week, I knew that traveling would make me uneasy.   I made a commitment to friends and colleagues over a year ago.  Backing out would impact the plans of many people who had agreed to 5 days of meetings in Shanghai as part of an effort to share US lessons learned in care processes and technology.   With Kathy's consent and perfect timing, I did the trip.

Kathy's support system includes her father, several fellow cancer survivors, and our next door neighbor, who is a heme/onc nurse from Dana Farber with 35 years of experience.     Our next door neighbor was very interested in visiting old friends at BIDMC and volunteered to take Kathy to cycle 4 of chemotherapy tomorrow in my absence.

I'll return by Sunday night just as the effects of chemotherapy are beginning.

Kathy's doing well.  Before I left, her left breast was examined and the tumor that was very pronounced a few weeks ago, could no longer be found on palpation. It's clearly responding well to the chemotherapy.

We confirmed this week what we had expected, chemotherapy has induced chemical menopause.    Thus far, no hot flashes, mood changes, or sleep disturbances.

We're staying in touch by email.   I have a generous international roaming data plan while traveling.  Kathy's putting all her energy in the farm search, which is very therapeutic for both of us.

This will be my only overnight travel without her during chemotherapy.    She'll join me for my April keynote in San Francisco and a May keynote in Vancouver.   There are a few same day Washington and Chicago trips but those will not conflict with her treatments or her low energy days.

Care at a Distance is emotionally challenging - I want to be home and focused on Kathy.   Our emails, her support system, and a mutual shared project to create a life beyond a 5 year survival statistic give us both comfort that all will be well.

Dispatch from China

This week I'm in Shanghai meeting with government, academic, and industry experts to discuss the implementation of electronic health records, healthcare information exchange, and business intelligence applications supporting the care of 23 million people.

Our team of 4 (Dr. Mitch Rabkin, Mt. Auburn hospital CEO Jeanette Clough, Architect Martha Rothman and I) flew to China February 12-13, losing 24 hours because of the international date line and 18 hours of flying.   We're staying in the eastern area of Shanghai, called Pudong, home to the economic miracle of the past 20 years - more skyscrapers than any other municipality in the world.

On February 14, we visited Huashan Hospital, a major teaching affiliate of Fudan University Medical School.  We learned a great deal about leading practices in China, specifically in the areas of neurology, neurosurgery, and infectious disease.    Huashan leads the country in many ways, but not in IT, since it only invests .8% of its operating budget in clinical applications and infrastructure supporting the healthcare process.   It's at a HIMSS Level 1 adoption level, but very committed to accelerating its progress.   In the afternoon, we keynoted a conference of all the hospital CEOs in Shanghai at the International Convention Center, Yellow River Hall. We were introduced by Dr. Chen, former director, Shanghai Municipal Health Bureau, now head of the Shanghai Hospital Association and  Dr. Jianguang Xu, Director General of the Shanghai Municipal Health Bureau.  The audience was very receptive to our comments about process improvement, patient centered care, accountable care organizations, LEAN improvement projects, and the importance of IT as a tool to facilitate these activities.

On February 15, we visited clinics and hospitals to better understand the emerging plans and infrastructure supporting healthcare in Shanghai.

On February 16, we've traveling to Hangzhou to offer advice to a team building a new hospital.

On Friday and Saturday we're advising healthcare leaders from Hong Kong before flying back to the US.

Every country, culture, and society has its own approach to healthcare.  China currently spends 5% of its gross domestic product on healthcare compared to 17% in the US.   In some ways China has fewer policy and technology barriers than the US because there are no state laws - just a single set of federal guidelines covering privacy, healthcare delivery, and IT.   Shanghai mandated the use of a single electronic record across its public hospitals.   It has mandated common standards and processes for medication exchange across the community.  If Dr. Xu develops a strategy, all hospital CEOs will follow it.

I look forward to our continued work with Chinese healthcare leaders.  The quality, safety, and efficiency challenges in China are similar all over the world and the lessons learned from Meaningful Use and Healthcare Reform will assist China while also ensuring they avoid our mistakes.

The Perfect EHR

I support over 3000 clinicians in heterogeneous sites of care - solo practitioners, small offices, multi-specialty facilities, community hospitals, academic medical centers, and large group practices.

In every location there is some level of dissatisfaction with their EHR.   Complaints about usability, speed of documentation, training, performance, and personalization limitations are typical.   Most interesting is that users believe the grass will be greener by selecting another EHR.

I've heard from GE users who want Allscripts, eClinicalworks users who want Epic, Allscripts users who want AthenaHealth, and NextGen users who want eClinicalWorks.

The bottom line from every product I've used and everyone I've spoken with is that there is no current "perfect" EHR.   We're still very early in the EHR maturity lifecycle.

What is the perfect EHR?   I've written about my best thinking, which has been incorporated into the BIDMC home built record, webOMR.   (and has dissatisfied users too)

However, after listening to many "grass is greener" stories, I believe that what a provider perceives as a better EHR often represents trade offs in functionality.  One EHR may have better prescribing functionality while another has better letters, another is more integrated and another has better support.  The "best" EHRs, according to providers, varies by what is most important to that individual provider/practice, which may not be consistent with enterprise goals or the needs of an Accountable Care Organization.

My experience is that organizations which have given clinicians complete freedom of EHR choice now have an unintegrated melange of different products that make care standardization impossible.

My advice - pick an EHR for your enterprise that meets your strategic goals, providing the greatest good for the greatest number.   Apply a maximum effort to training, education, sharing of lessons learned, user engagement, and healthcare information exchange.

There will always be dissatisfaction and a claim that something is better.   However, I've never seen a change in product fix workflow and process issues.    BIDMC's strategy is to do our best  to ensure providers are educated and use their EHR optimally.   I do not believe that there is a better choice than our current mix of built and bought products that makes sense for our pioneer ACO and individual providers within the organization.

The Privacy & Security Mobile Device Project

Recently, ONC’s Office of the Chief Privacy Officer (OCPO), in collaboration with the HHS Office for Civil Rights (OCR), launched a Privacy & Security Mobile Device project.

The project goal is to better secure and protect health information on mobile devices (e.g., laptops, tablets, and smartphones). Building on the existing HHS HIPAA Security Rule - Remote Use Guidance, the project is designed to identify privacy and security best practices for devices that are are used outside healthcare facilities or not directly under IT department control.

The HHS Remote Use Guidance may not be familiar to clinicians and IT professionals.   It was issued on 12/28/2006 and includes specific recommendations for the use of Electronic Protected Health Information (EPHI) on mobile devices, specifically (1) the use of portable media/devices (such as USB flash drives) that store EPHI and (2) offsite access or transport of EPHI via laptops, smart phones, home computers or other non corporate equipment.

The report groups its recommendations into three areas: access, storage and transmission.

Access

Username/password protection -  to reduce the risk of keystroke loggers or stolen passwords, it recommends two factor authentication - something that you know and something that you have.

Remote access - to minimize the risk of privacy breaches, it recommends role-based access control for remote data access in combination with policies which delineate who is authorized use remote access methods.

Unattended devices - to minimize the risk of privacy breaches by those who may find a lost or unattended device, it recommends timeouts on any software used to access EPHI

Malware -  to minimize the damage done by the increasing flood of malware on the internet, it recommends personal firewalls and appropriate use of up to date anti-virus tools

Storage

Theft risk mitigation - to reduce the risk of breach when a device is lost or stolen, it recommends encryption, biometric authentication methods, and strong mobile device storage policies

Lifecycle management - to reduce the risk of data loss when a mobile device is retired it recommends  deletion/physical destruction of devices

Data cached on non-owned device - to minimize the risk that data will be left on public computers used to access EPHI remotely, it recommends training, prohibition on downloading  files containing EPHI, and application software configurations that eliminate browser caching

Transmission 

Off network transmission - to minimize the risk of interception, it recommends that all data transmissions require SSL, TLS, or VPN in addition to policies requiring encryption of all data in motion between organizations.

These are guidelines, not regulations, but you can bet the next time CMS/OCR investigates a breach, they will ask if you have followed the published recommendations for  access, storage and transmission.  Thus, I highly recommend you read the HHS guidance and incorporate their suggestions into your overall security program.

Cool Technology of the Week

I recently did an interview about distracted doctoring for National Public Radio.  Typically, when I speak on Morning Edition or All Things Considered, I travel to our local  NPR affiliate (WBUR) and use their high fidelity dedicated ISDN lines in a soundproof booth.  

This time, I used my iPhone 4S.

How does it work?   I used a free application called Report IT Live which NPR has selected to capture interviews in the field via the high fidelity microphones built into the iPhone and a high digital sampling rate.

When the interview was complete, I uploaded the file securely to NPR servers.

Here's an overview of how it works in the field.

High fidelity radio interview recording on your iPhone with all the sound quality of a studio.  That's cool!

Our Cancer Journey - Week 8

Kathy finished Cycle 3 of Adriamycin/Cytoxan, has weathered the most difficult treatment symptoms, had a positive rebound of her blood cell counts, and continued to receive an outpouring of support from the community.

Per the screen print above from BIDMC's web-based Online Medical Record, her neutrophil count increased from 3610 to 5660, ensuring she can fight infection.   Neutrophils are significantly affected by chemotherapeutic agents but Neulasta, a bone marrow stimulant, prevents cancer patients from the neutropenic nadirs that once caused multi-day hospitalizations requiring antibiotics.

Dr. Robin Schoenthaler, a Radiation Oncologist in the MGH Department of Radiation Oncology at Emerson Hospital and Director of Medical Education  at Emerson wrote to me with very helpful advice for husbands and families supporting breast cancer patients:
   
"I am a radiation oncologist at MGH specializing in the treatment of women with breast cancer and I have been following your blog (from which I heard about that very cool I-phone charger; thank you very much!) for some time.  My heart goes out to you and your wife.  I hope that things go as swimmingly as possible for you during and after the acute phase of treatment.

I have many many thoughts about what you have written; but yesterday's column which touched on the issues of 'causality' rang a real bell for me in three areas.


First off, it may interest you to know that, as far as I can find,  there are no good studies that absolutely link breast cancer (or any cancer) with stress.  Studies looking at extreme stress (eg war, famine, rape) have not shown a clear-cut link with the later development of cancers.  Studies looking at day-to-day stressors have been negative, and studies evaluating severe stressors (recent divorce, death of loved one) are extremely mixed -- some show perhaps a small link and some actually show that severe stressors are associated with a LOWER rate of breast cancer (eg the Women's Health Initiative).  This stuff is terribly hard to tease out so all we can say at the present time is that while there MAY be a link, and although there are hypothetical reasons to be concerned about a link, thus far many good studies do NOT show an absolute connection between being under stress and then getting breast cancer.


This may well be because 'cancer' is such a heterogenous disease, and it may also be related to the fact that cancers grow at such different rates, so that it's nearly impossible to say that a defined 'stressor' (and who can say exactly what stress is -- for some people it's their mother-in-law!) is linked to a very slow-growing breast cancer (or a fast one) or a lightning-fast lymphoma.  It's just too hard to connect the dots.

The second idea I would like to convey to you is that your search for a cause -- wondering if it's paints, or stress, or radicals (or for other women: fertility treatments, or living under power lines, or pesticides) is a specifically AMERICAN response to disease, or more fundamentally, why bad things happen to good people.  If you and your wife lived in India, you would probably think this disease occured because of something harmful you did in a past life prior to this reincarnation (karma, etc).  If you lived in Mexico, you might well think your wife was bound to suffer this way so she could offer it up and then sit at the right hand of Mary in heaven.

But here in America, we always, always, think it's something we did.  We think we are the cause.  We ALWAYS think we are the cause, and if only we had done x or y or z maybe this wouldn't have happened.  We like to think we are in control, us Americans (especially the engineers and computer people amongst us, despite the fact Mother Nature that is constantly showing us who rules.

I do think this is an important thing to think about -- maybe it wasn't environmental, maybe it had nothing to do with behavior, maybe it was just stone cold bad luck.  I think it changes the way one approaches disease sometimes and I offer it to you as a possibility.

The third thing I want to say to you is that you are really being a model Husband/Caretaker, and my hat is off to you and to all such wonderful men.  I call men like you 'Purse Holders' and in fact I wrote an essay in the Globe about them a couple of years ago.  If you care to read it you can find it here.

I send you my very best regards and wishes, and if you would like to further discuss these or any other breast-cancer-related issues or questions, please consider me your go-to person."

Thanks Robin, your support is much appreciated.  And you're right, since treating breast cancer is a partnership, all aspects of treatment including the driving, the listening, and the purse carrying are a shared responsibility.

On Sunday, I must fly to China to fulfill a promise I made a year ago to assist with healthcare IT design in Shanghai and Hong Kong.   My absence is timed for those treatment days when Kathy is at her best and her energy has returned.   I'll be back before the symptoms of Cycle 4 begin.    I'll write my post next week during the first time we've been apart overnight since her diagnosis in December.   As we travel the treatment path together, the experience of caring for Kathy long distance will bring new emotions.

Two Factor Authentication

I've previously written about innovative approaches to strong identity management which we're investigating.

SAFE-BioPharma has implemented a thoughtful two factor authentication solution that leverages mobile devices and is provisionally certified as a trust framework provider for NIST level of assurance 2 and 3 by the General Service's Administration FICAM program. Their solution is cross certified with the Federal Bridge Certificate authority.  Thus, their credentials are trusted in both the Public Key Infrastructure (PKI) and non-PKI sectors for authentication to any Federal application or infrastructure.

Here's how credentials are issued per Richard Furr, Head of Global Regulatory Affairs, Policy and  Compliance, SAFE-BioPharma Association:

The applicant is nominated for a credential by a sponsoring SAFE-BioPharma member.  It is important to note here that SAFE-BioPharma is a member driven non-profit association and only members of the association can nominate applicants for credentials.  Applicants must be employees or business partners of that member. Membership in SAFE-BioPharma is limited to entities that operate in the biopharmaceutical or healthcare delivery sectors.

The nomination is made on-line by a specially trained member of the member staff who enters specific data, I.e, at least name and business e-mail address, into the registration authority system (UIS) that Verizon Business operates as a contracted infrastructure provider for SAFE-BioPharma.

The UIS generates an email to the applicant address which contains a link to the UIS and a one time password to allow the applicant to access the UIS.

The applicant completes a user profile including other information, e.g., address, telephone, last 4 digits of their social security number, date of birth, medical license number if they have one, that the UIS uses to build out their identity.

Based on the data entered by the applicant the UIS develops their identity and through a contracted data source (LexisNexis) the applicant is presented with five multiple questions to which only they should know the correct answers.  The applicant has 2 minutes to answer 4 of the 5 questions correctly.  If they fail the first time they are presented another 5 questions.  If they answer 4 correctly their identity is confirmed and they can complete the registration process.  If they fail a second time they are rolled over to a manual notary process.

Once the identity is confirmed, the applicant creates an account with the UIS Identity Broker by creating a strong user name and password according to the parameters of the system.  Then, the applicant registers one or more devices that are capable of receiving a cryptographically generated one-time password, e.g., smartphone (Android or iPhone), SMS capable cell phone, iPad, other mobile tablet, landline phone capable of receiving interactive voice response, other token (RSA, OAuth, etc,) or other types of devices that can receive the One Time Password (OTP) .

Upon completion of these steps the system also generates an X.509 certificate that is downloaded to a cloud-based FIPS 140-2, level 3 certified hardware security module.  This certificate is the applicant's digital signing certificate.  It can be accessed using the 2-factor non-PKI credential that was just generated.  Upon completion of these steps the applicant digitally signs their Subscriber agreement and is ready to go.  The entire process takes about 10 minutes. It is also important to note that the last 4 of the social security number and date of birth are deleted after the initial registration process so they are never kept in the system.

Here's how actual authentication works:

1.  The use accesses an application or portal via the internet.
2.  The accessed application or portal displays a login dialog that asks for the  user name and password.
3.  The user enters their user name and password and selects the pre-registered device to which they wish their OTP to be sent.  This is the first factor of the 2-factor authentication – something the user knows.  The app or portal also generates a SAML2 request to the identity broker.
4.  The identity broker verifies that the Account is valid and uses a cryptographic algorithm to generate the OTP and send it to the selected device.
5.  The app/portal displays a dialog for the user to enter their OTP.  The user has 5 minutes to enter the OTP.  When they do, the identity broker verifies the OTP as being the one that was generated and this completes the second factor – something the user has – in this case the pre-registered device that received the OTP. Based on this successful completion, the identity broker generates a SAML2 response to the app/portal verifying the identity.

If the user needs to digitally sign a document, such as an e-prescription, they can do so using this same process to authenticate to their X.509 certificate in the cloud.  It appears that the DEA will accept this process as part of the final rule for e-prescribing controlled substances.

Since the credentials are FICAM certified, it seems reasonable that such an approach meets all compliance criteria that require strong authentication for securing protected healthcare information.

Attesting to Meaningful Use Quality Measures

I was recently asked how eligible professionals should report the Meaningful Use Clinical Quality Measures if there are zero denominators (i.e. you do not have any hypertensives, adults, or patients with 2 or more visits in the measurement period)

Here's the answer as I understand the regulations and FAQs:

1.  Report on the 3 Core measures if you can, which include
*Hypertension: Blood Pressure Measurement
*Tobacco Use Assessment and Tobacco Cessation Intervention
*Adult Weight Screening and Follow-up

2.  If any of the 3 Core measures has a zero denominator, replace them one-for-one with one of the 3 alternate core measures.   If you can’t get to 3 non-zero denominators between the core and alternate core, report on all 6 (even if it means that you have to report 6 zero denominators)
*Weight Assessment and Counseling for Children and Adolescents
*Preventive Care and Screening: Influenza Immunization for Patients ≥ 50 Years Old
*Childhood Immunization Status

3.  Regardless of the above, you MUST report on 3 of the remaining 38 Additional Set measures.  If you are reporting any zero denominators from these Additional Set measures, you must attest that you have no other non-zero denominator measures.  Essentially, you have to confirm that you’re not running away from non-zero denominator measures.

In summary, the minimal requirement is for 6 measures (3 core or alternate core, 3 additional set).  You may have to report up to 9 measures if there are zero denominators involved.  If you can’t find 3 non-zero denominators among the core and alternate core, you have to report on all 6 (even if it means that you’re reporting 6 zero denominators).  In addition, you still have to report on 3 from the remaining 38 additional set measures.  If any of these 3 additional set measures is a zero denominator, you must confirm that you don’t have a non-zero denominator for any of the remaining 35 that you’re not reporting on.
 
Micky Tripathi posted a blog about this last summer that provides additional detail.

You'll find the FAQs that address the Clinical Quality Measures here.

The Perfect Storm for Innovation

In my career, there have been a few perfect storms, defined as "a confluence, resulting in an event of unusual magnitude".

When I was an undergraduate at Stanford University in 1980, two geeky guys named Jobs and Wozniak dropped by the Homebrew Computer Club to demonstrate a kit designed in their garage.   IBM introduced the Personal Computer and MSDOS 1.0.   I purchased an early copy of Microsoft Basic and began creating software in my dorm room including early versions of tax calculation software, an econometric modeling language, and electronic data interchange tools.   Every day brought a new opportunity. The energies of hundreds of entrepreneurs created an industry in a few intensely creative months that laid the foundation for the architecture and tools still in use today.   A guy named Gates offered me a job and I decided to stay in school instead.

In 2001 when I was first hired at Harvard, a visionary Dean for Medical Education, a supportive Dean of the Medical School,  talented new development staff, and a sleepless MD/Phd student came together to create one of the first Learning Management Systems in the country, Mycourses.   Robust web technologies, voice recognition, search engines, early mobile devices, and new multi-media streaming standards coincided with resources, strong governance, and a sense of urgency.  Magic happened and in a matter of months, an entire platform was created that is still powering the medical school today.

At BIDMC in 2010, IS Clinical Systems staff and key operational leaders realized that Meaningful Use Stage 1 was within reach if we temporarily put aside other work and focused our energy, creativity, and enthusiasm on rapid innovation, process change, and education.   In a few weeks we became the first hospital in the country to certify our EHR applications - inpatient and ambulatory.    We became the first hospital to achieve Meaningful Use.  More than 70% of our eligible professionals have surpassed meaningful use performance thresholds.   We had no budget, no dedicated resources, and nothing but strength of will to make it happen.   It was one of our finest hours.

In 2011, the Massachusetts public sector (Secretary of EOHHS, CIO of EOHHS), private sector healthcare leaders, and healthcare IT experts had a bold idea - create a public utility that links together all the existing regional health information exchanges, public health, small clinician offices, payers, and patients using modular components procured and initially operated by state government.   We aligned forces and in a few weeks created budgets, project plans, a new State Medicaid Health Plan, and a guiding coalition of stakeholders.    Political, organizational, and technical barriers were broken down and unbridled optimism rekindled our health information exchange momentum.    2012 will be a transformative year in the Commonwealth, truly a perfect storm.

My advice - look for the perfect storms in your own life.  Minimize your distractions, cancel unnecessary meetings, and put aside those tasks that don't add value.   Take a risk and dive head first into the possibility of creating greatness.   I've seen opportunity come and go in my life.   No one remembers the mundane.  No one forgets the events of unusual magnitude.

Recently, I updated my BIDMC job description to include fostering healthcare information exchange among affiliates, accountable care organizations, and the community.   The Massachusetts Health Information Exchange is the next perfect storm in my career and I will devote all of my energies to the confluence being created by EOHHS CIO Manu Tandon, Massachusetts eHealth Collaborative CEO Micky Tripathi, and the dozens of volunteers lending the wisdom to the process.

Cool Technology of the Week

I recently wrote about the explosion of business spam.

One of my blog commenters introduced me to Unsubscribe.com which provides a free, timesaving, easy to use unsubscribe utility.

Numerous times a day, I click on an email scroll to the unsubscribe area, have to figure out the proprietary unsubscribe functionality of the business spammer, retype my email address, and hope it works since unsubscribe sites are generally slow and unreliable.

With Unsubscribe.com, I just download a plug in for my email client (apple mail), and simply click on the unsubscribe icon whenever unwanted email appears in my inbox.   The unsubscribe servers use natural language processing to figure out the unsubscribe methodology and send the unsubscribe request.

It has easily saved me 15 minutes a day.

Of course the ultimate answer would be for advertisers to act more ethically.   I had a great conversation with Dave Smith, Compliance Officer for Constant Contact about their efforts to enforce email advertising best practices.    A few items

1.  They ask their clients to certify pre-existing business relationships or opt-in before sending email.   Some clients do not follow this policy guidance the Constant Contact compliance team does their best to identify and stop abuses by their customers.

2.  They created "Safe Unsubscribe" to make it easier for recipients to remove themselves from mailing lists.   It really works - Safe Unsubscribe does actually stop the flow of advertising.

3.  They will honor a  global "do not call" designation for all email newsletters if such a request is made to the compliance department.

My wife uses Constant Contact for her NKG Art Gallery Newsletter, so I'm not opting out of all communications just yet.   Only a small portion of my business spam comes from advertisers using Constant Contact - a tribute to their ethical marketing compliance efforts.

A utility to automatically unsubscribe and a company using a compliance team to reduce unwanted email.    That's cool!

Our Cancer Journey - Week 7

Tomorrow we begin the third cycle of Cytoxan/Adriamycin.   In the journey thus far, Kathy has had good days and bad days.   High energy and low energy days.    Meal days and BRAT (Bananas, Rice, Apples, Toast) days.    We frequently discuss the factors that put Kathy at risk for cancer at this point in her life.   We talk a lot about the future.

Kathy's typical pattern is

Friday - Chemotherapy infusion day, good energy, good appetite, some jitters from the steroids
Saturday - Good energy, good appetite, some jitters from the steroids
Sunday - Waning energy, moderate appetite, bone pain
Monday - No energy, moderate appetite, extra sleep needed, bone pain, bland diet
Tuesday - Low energy, extra sleep needed, bone pain, bland diet
Wednesday - Low energy, bland diet, extra rest needed
Thursday - Moderate energy, bland diet
Friday - Moderate energy, stomach pain, bland diet
Saturday - Moderate energy, stomach pain, bland diet
Sunday - Moderate energy, stomach pain, bland diet
Monday - Good energy, moderate appetite
Tuesday - Good energy, good appetite
Wednesday - Good energy, good appetite
Thursday  - Good energy, good appetite

What environmental risks caused the cancer at this point in her life?  Exposure to the cadmium and other heavy metal pigments in her traditional oil paints? Pesticides in the environment? Bisphenol in cans? Free radicals?

We've talked about psychoneuroimmunology, the impact of mood and outlook on the ability to combat disease.

The past two years have been challenging for Kathy - helping our daughter grow from high school to college, transitioning to an empty nest, creating an art gallery business in a challenging economy, sharing the stresses of my Federal/State/local work (especially Meaningful Use for several hospitals and 2000 doctors), and supporting the health needs of our parents.

Although they past few years have been stressful, all the events are consistent with our expectation for this stage of life.

One event in the past year was a bit out of the ordinary.  A 19 year old with a very poor driving record (4 points on his license, 1 high speed collision, 1 hit and run etc.) drove down the wrong side of the road around a line of traffic and hit Kathy's car as she was exiting a parking lot.   It was very clear from the position of the impact that it was caused by a driver violating the law.

Kathy filed an insurance claim and provided all the details of the accident.

The 19 year old driver lied about what happened.

Our insurance company decided Kathy was at fault, gave her a point on her driving record, and added a multi-year surcharge to her insurance.

When Kathy pursued the issue, noting that the 19 year old with the poor driving record was lying, the insurance company told her that without a photograph of the accident or an independent witness who was willing to verify the events, they would have to believe the 19 year old because Kathy was exiting a parking lot and that makes her at least 51% responsible.  Despite Kathy's over 30 year good driving record, the insurance company representative literally ended the conversation with the statement "Life isn't fair".

That episode temporarily caused Kathy to lose her faith in humanity and gave her a sense of helplessness in a hostile world.

As with any conflict or issue, for everything there is a process.

Kathy appealed the ruling to the Massachusetts Board of Insurance and wrote an eloquent letter stating the facts.

Today the Board of Insurance ruled she was not at fault, rescinded the point on her license, and demanded that the insurance company refund/rescind the surcharge.  She cried when she opened the letter. The nice guy can still finish first.

This weekend we'll continue our search for local farmland by touring Harvard, Massachusetts with locals recommended by our next door neighbor.  The cancer diagnosis constrains our possibilities but has not dulled our enthusiasm for a long and fulfilling future.