I was recently reviewing an AHRQ report entitled "Challenges and Barriers to Clinical Decision Support (CDS) Design and Implementation" which was based upon AHRQ CDS Demonstration Projects. There were several challenges faced:
1. Management of the design of CDS takes considerable time and effort
2. Lack of alignment with the organization's overall goals and incentives
3. Clinicians do not agree on how prescriptive the CDS application should be
4. Local institutions and providers chose to "customize knowledge"
5. Guidelines are ambiguous and unclear
6. Terminology and data exchange standards are still maturing and lack implementation specifications
Additionally, the report noted that suboptimal EHR usage by clinicians diminished the impact of CDS interventions.
Finally, the report set forth some lessons and proposals for improvement.
Guideline developers:
Guidelines should be specific, unambiguous, and clear.
Guideline development committees should include individuals with programming expertise and health informaticians.
Updates of the guideline recommendations are needed. Guideline developers should consider issuing statements of update when new medical evidence is brought forth and providing regular review and updates of guidelines. For example, the USPSTF re-reviews each topic every 5 years.25
IT vendors:
As most organizations utilize vendor systems with hard-coded functionality, vendors should consider ways to reduce the need for an organization to rebuild the CDS content when upgrading or implementing a new EMR system (e.g., adopting a module or service-oriented approach).
Incentives for vendor participation in CDS initiatives should be aligned with efforts, such as defining meaningful use criteria, to encourage standards adoption.
Standards development organizations:
Implementation specifications and guides should be produced that simplify existing standards and support consistent application of standards for messaging, interfacing, and mapping purposes.
The development of standards and implementation specifications and guides should accommodate appropriate clinical practice variations.
Tuesday, August 24, 2010
Monday, August 23, 2010
HIT Policy Committee Endorses Tiger Team Recommendations on Consent for HIE
The federal Health IT Policy Committee has endorsed a set of recommendations on when healthcare providers must obtain consent before exchanging patient heath records electronically with other clinicians, testing labs or health information exchange (HIE) networks. The Committee will submit the recommendations, the product of several weeks' work by a special privacy and security "tiger team," to the Office of the National Coordinator for Health Information Technology. ONC must decide whether to set the recommendations in policy in time for the start of its health IT adoption campaign next year.
The recommendations answer questions that ONC raised about patient consent policies for point-to-point exchanges among providers and between providers and testing labs.
Clinical practices and hospitals must be able to perform such simple or "directed" exchanges in order to qualify for incentive payments in the first stage of the meaningful use project beginning in 2011. "We laid down a foundation with these recommendations," said Deven McGraw, chair of the tiger team at the Aug. 20 meeting. "But only a systemic and comprehensive approach to privacy and security can achieve public confidence."
The recommendations answer questions that ONC raised about patient consent policies for point-to-point exchanges among providers and between providers and testing labs.
Clinical practices and hospitals must be able to perform such simple or "directed" exchanges in order to qualify for incentive payments in the first stage of the meaningful use project beginning in 2011. "We laid down a foundation with these recommendations," said Deven McGraw, chair of the tiger team at the Aug. 20 meeting. "But only a systemic and comprehensive approach to privacy and security can achieve public confidence."
Wednesday, August 4, 2010
"Willful Neglect" and HIPAA
The recently proposed HITECH Act changes to HIPAA go into extensive detail on the categories of culpability. Setting aside some of the other interesting aspects of these modifications, and the other highlights of the rules, one example relating to the "willful neglect" standard struck me as new and unusual.
In describing a situation which may arise to the level of willful neglect, HHS provides an example of a covered entity that failed to respond to an individual's request that it restrict its uses and disclosures of protected health information. HHS's investigation reveals that the covered entity has no policies and procedures to consider the request for a restriction and it "refuses to accept any requests for restrictions from individual patients who inquire." It is the quoted language which seems so odd to me. Under HIPAA's Privacy Rule, a covered entity is not obligated to accept any request for a restriction on uses or disclosures. (45 C.F.R. section 164.522(a)(1)(i)). In the past, many have counseled that covered entities should never agree to such a restriction because it goes beyond what HIPAA mandates and it may subject the covered entity to a multitude of record-keeping and other logistical difficulties. In other words, the patient had the right to request, but did not have the right to receive, such a restriction on the PHI. In addition, the Privacy Rule only requires documentation if the covered entity agrees to the restriction and the implementation specifications (i.e. policies and procedures) only relate to agreement to the restriction.
However, the preamble to the proposed Rule states that "In the second example, the covered entity's refusal to accept any requests for restrictions from individual patients who inquire would be grounds for a separate finding of a violation due to willful neglect." I fail to see how refusing to accept any requests would amount to any violation, let alone willful neglect. Perhaps HHS is using the term "accept" to mean simply that the individual has a right to submit the request and that submission must be accepted (or, that the patient has inquired about the right to request and that inquiry was not accepted), rather than using "accept" to mean agreement. In either case, it is a very strong and straightforward statement that is not completely supported by existing law.
In describing a situation which may arise to the level of willful neglect, HHS provides an example of a covered entity that failed to respond to an individual's request that it restrict its uses and disclosures of protected health information. HHS's investigation reveals that the covered entity has no policies and procedures to consider the request for a restriction and it "refuses to accept any requests for restrictions from individual patients who inquire." It is the quoted language which seems so odd to me. Under HIPAA's Privacy Rule, a covered entity is not obligated to accept any request for a restriction on uses or disclosures. (45 C.F.R. section 164.522(a)(1)(i)). In the past, many have counseled that covered entities should never agree to such a restriction because it goes beyond what HIPAA mandates and it may subject the covered entity to a multitude of record-keeping and other logistical difficulties. In other words, the patient had the right to request, but did not have the right to receive, such a restriction on the PHI. In addition, the Privacy Rule only requires documentation if the covered entity agrees to the restriction and the implementation specifications (i.e. policies and procedures) only relate to agreement to the restriction.
However, the preamble to the proposed Rule states that "In the second example, the covered entity's refusal to accept any requests for restrictions from individual patients who inquire would be grounds for a separate finding of a violation due to willful neglect." I fail to see how refusing to accept any requests would amount to any violation, let alone willful neglect. Perhaps HHS is using the term "accept" to mean simply that the individual has a right to submit the request and that submission must be accepted (or, that the patient has inquired about the right to request and that inquiry was not accepted), rather than using "accept" to mean agreement. In either case, it is a very strong and straightforward statement that is not completely supported by existing law.
Wednesday, July 21, 2010
Data Breach Result of Business Associate
The protected health information of 800,000 patients has been lost or stolen, according to South Shore Hospital in South Weymouth, Massachusetts. Back up computer files that were sent to a contractor for destruction have been lost. The files were not encrypted and, accordingly, notice of the breach was required to be given to both the individuals, media outlets, and the Office for Civil Rights. According to the hospital, it first learned that the files had not been disposed of properly on June 17, 2010. It claims, despite the legal requirements otherwise imposing a more timely notice, that it will not be sending out notices to individual for another 4-6 weeks (the HITECH Breach Notification Rule requires notice to individuals no later than 60 days from the date the breach is discovered).
Interestingly, the notice does not specify the identity of the business associate who purportedly lost the information. Not sure why the hospital would want to take the full brunt of the public relations hit that this breach has caused. It may be that the relationship between the parties was not spelled out as carefully as it should have been under the business associate agreement. Or, it could be that the business associate had inserted some protective language into its form of the business associate agreement that the hospital did not carefully review. I am more inclined to view it as a failure on the part of the hospital to carefully draft its business associate agreement because there is no indication that the hospital intends to provide free credit and identity theft protection. A properly prepared agreement would have put the onus on the business associate to provide for such coverage, among other things.
Interestingly, the notice does not specify the identity of the business associate who purportedly lost the information. Not sure why the hospital would want to take the full brunt of the public relations hit that this breach has caused. It may be that the relationship between the parties was not spelled out as carefully as it should have been under the business associate agreement. Or, it could be that the business associate had inserted some protective language into its form of the business associate agreement that the hospital did not carefully review. I am more inclined to view it as a failure on the part of the hospital to carefully draft its business associate agreement because there is no indication that the hospital intends to provide free credit and identity theft protection. A properly prepared agreement would have put the onus on the business associate to provide for such coverage, among other things.
Monday, July 12, 2010
Hospital ER Computers -- Germ Factories
A recent study by Henry Ford Hospital found that computer keyboards in the registration and triage areas of the emergency department contained the highest level of germs. "Contamination was predominantly found in non-treatment areas," says Angela Pugliese, M.D., lead author of the study and an emergency department physician at Henry Ford Hospital.
"This suggests that only areas without true patient contact, and likely less frequent hand washing, might benefit from using washable silicone rubber or antibacterial keyboards instead of a standard keyboard."
Dr. Pugliese will present the findings June 5 at the Annual Meeting of the Society for Academic Emergency Medicine in Phoenix.
Multiple studies have found colonies of bacteria on computer keyboards. Due to the threat of its potential spread to patients, Henry Ford's Information Technology and Infection Control departments recommended exchanging traditional keyboards in the Emergency Department for washable, silicone rubber models.
The objective of this study was to determine the frequency and type of keyboard contamination before replacing the keyboards.
Seventy-two standard, non-silicone rubber keyboards were swabbed on two different days, six days apart. All keyboard keys, except the function keys, were cultured and analyzed for bacteria.
Less than 14 percent, or 10 keyboards, were colonized with nine different bacteria. Of the keyboards in non-treatment areas, nearly 32 percent were contaminated, versus less than nine percent in treatment areas.
"This suggests that only areas without true patient contact, and likely less frequent hand washing, might benefit from using washable silicone rubber or antibacterial keyboards instead of a standard keyboard."
Dr. Pugliese will present the findings June 5 at the Annual Meeting of the Society for Academic Emergency Medicine in Phoenix.
Multiple studies have found colonies of bacteria on computer keyboards. Due to the threat of its potential spread to patients, Henry Ford's Information Technology and Infection Control departments recommended exchanging traditional keyboards in the Emergency Department for washable, silicone rubber models.
The objective of this study was to determine the frequency and type of keyboard contamination before replacing the keyboards.
Seventy-two standard, non-silicone rubber keyboards were swabbed on two different days, six days apart. All keyboard keys, except the function keys, were cultured and analyzed for bacteria.
Less than 14 percent, or 10 keyboards, were colonized with nine different bacteria. Of the keyboards in non-treatment areas, nearly 32 percent were contaminated, versus less than nine percent in treatment areas.
Thursday, July 8, 2010
New HIPAA Regulations Proposed
New proposed regulations have been released modifying the HIPAA Privacy, Security, and Enforcement Rules. The modifications are made pursuant to the Health Information Technology for Economic and Clinical Health (HITECH) Act.
A more detailed summary will follow. For now, a copy of the Notice of Proposed Rulemaking may be accessed here.
A more detailed summary will follow. For now, a copy of the Notice of Proposed Rulemaking may be accessed here.
Wednesday, July 7, 2010
Health Net to Pay $250K to Settle CT Breach
Health Net has agreed to pay $250,000 and enter a corrective action plan to settle a lawsuit brought by Connecticut Attorney General Richard Blumenthal after a hard drive containing information of 1.5 million current and former members was lost or stolen.
Blumenthal sued the company in January, becoming the first state attorney general to wield new authority granted under the stimulus law to enforce the privacy provisions of the Health Insurance Portability and Accountability Act of 1996. The agreement resolving the case stipulates that the settlement does not represent an admission of liability or wrongdoing by Health Net.
Further information at Modern Healthcare, in a story by Gregg Blesch.
Blumenthal sued the company in January, becoming the first state attorney general to wield new authority granted under the stimulus law to enforce the privacy provisions of the Health Insurance Portability and Accountability Act of 1996. The agreement resolving the case stipulates that the settlement does not represent an admission of liability or wrongdoing by Health Net.
Further information at Modern Healthcare, in a story by Gregg Blesch.
Hospitals and HIT Benefits
Hospitals understand the importance of health information technology (HIT) and the benefits of its widespread adoption, yet as a field still face significant barriers to implementation according to a newly released survey of America's Most Wired hospitals and health systems.
This year's survey reveals continued progress for hospitals in patient safety initiatives:
Fifty-one percent of medication orders were done electronically by physicians at Most Wired hospitals, up from 49 percent last year. Over half (55 percent) of Most Wired hospitals match medication orders at the bedside through bar coding or radio-frequency identification, up from 49 percent in 2009 and from 23 percent five years ago. Additionally, Most Wired hospitals have made improvements when it comes to sharing information during care transitions. For example, new medication lists are electronically delivered to caregivers and patients 94 percent of the time when a patient is transferred within the hospital, 98 percent at discharge and 86 percent when transferred to another care setting.
"The survey results highlight that continued progress is being made but the full potential of health IT has not been met," says Rich Umbdenstock, president and CEO of the American Hospital Association (AHA). "Hospitals embrace health IT and recognize the many benefits it can provide to patients, but even Most Wired hospitals face barriers to adoption. We have asked that the federal government stimulate greater adoption by making Medicare and Medicaid incentive payments more widely available to hospitals and physicians so more hospitals can move in this direction."
Survey results speak to the fact that the full potential of health IT has not been met and that the use of electronic medical record (EHR) functions is still not widespread, even with independent physicians who practice within hospitals. For Most Wired hospitals, only 43 percent of independent physician practices have the ability to electronically document medical records, 41 percent have computerized physician order entry (CPOE) and 44 percent have decision support.
Gerry McCarthy, vice president of physician solutions at McKesson Corporation says providers need to be strategic about IT deployments. "You can't just start with CPOE as a first step," he says. "The best way to garner physician adoption of CPOE is to ensure that it adds immediate value to their workflow, which involves automating information across foundational care processes first, such as nursing documentation and bar-code medication administration, clinical monitoring and other features." The same type of thoughtful planning should be applied to information exchange, both with physicians and patients, he adds. McKesson is a major sponsor of the Most Wired Survey.
The 2010 Most Wired Survey is redesigned this year to reflect two years of work with an advisory group to continually improve the survey. The 2010 Most Wired Survey represents a new structure and methodology with an increased use of analytics and reporting. The advisory group was comprised of leaders from the College of Healthcare Information Management Executives (CHIME), chief information officers, Most Wired staff and vendors. Additionally, the new methodology was made available to the entire CHIME membership for review and comment.
Hospitals & Health Networks conducted the 2010 survey in cooperation with McKesson Corporation and CHIME. The H&HN cover story detailing results is available here.
This year's survey reveals continued progress for hospitals in patient safety initiatives:
Fifty-one percent of medication orders were done electronically by physicians at Most Wired hospitals, up from 49 percent last year. Over half (55 percent) of Most Wired hospitals match medication orders at the bedside through bar coding or radio-frequency identification, up from 49 percent in 2009 and from 23 percent five years ago. Additionally, Most Wired hospitals have made improvements when it comes to sharing information during care transitions. For example, new medication lists are electronically delivered to caregivers and patients 94 percent of the time when a patient is transferred within the hospital, 98 percent at discharge and 86 percent when transferred to another care setting.
"The survey results highlight that continued progress is being made but the full potential of health IT has not been met," says Rich Umbdenstock, president and CEO of the American Hospital Association (AHA). "Hospitals embrace health IT and recognize the many benefits it can provide to patients, but even Most Wired hospitals face barriers to adoption. We have asked that the federal government stimulate greater adoption by making Medicare and Medicaid incentive payments more widely available to hospitals and physicians so more hospitals can move in this direction."
Survey results speak to the fact that the full potential of health IT has not been met and that the use of electronic medical record (EHR) functions is still not widespread, even with independent physicians who practice within hospitals. For Most Wired hospitals, only 43 percent of independent physician practices have the ability to electronically document medical records, 41 percent have computerized physician order entry (CPOE) and 44 percent have decision support.
Gerry McCarthy, vice president of physician solutions at McKesson Corporation says providers need to be strategic about IT deployments. "You can't just start with CPOE as a first step," he says. "The best way to garner physician adoption of CPOE is to ensure that it adds immediate value to their workflow, which involves automating information across foundational care processes first, such as nursing documentation and bar-code medication administration, clinical monitoring and other features." The same type of thoughtful planning should be applied to information exchange, both with physicians and patients, he adds. McKesson is a major sponsor of the Most Wired Survey.
The 2010 Most Wired Survey is redesigned this year to reflect two years of work with an advisory group to continually improve the survey. The 2010 Most Wired Survey represents a new structure and methodology with an increased use of analytics and reporting. The advisory group was comprised of leaders from the College of Healthcare Information Management Executives (CHIME), chief information officers, Most Wired staff and vendors. Additionally, the new methodology was made available to the entire CHIME membership for review and comment.
Hospitals & Health Networks conducted the 2010 survey in cooperation with McKesson Corporation and CHIME. The H&HN cover story detailing results is available here.
Subscribe to:
Posts (Atom)
Posts
