Legal/Compliance

Increasingly hazardous healthcare environment should urge Congress to create a National Health IT Safety Center

Discharge instructions for a child’s insulin dose were correctly entered into the electronic health record (EHR), but when the mother received the printed instructions there was a decimal point error resulting in a 10-times dosing error.  This error was fortunately noticed by the bedside nurse and corrected manually.  I reported this near-miss to the EHR vendor and they corrected the technical problem.  However, when I asked vendor representatives whether or not this problem was being corrected with other physician clients across the country, they informed  me that no other client had reported such a problem. 

This is analogous to a situation where an airbag explodes and sends shrapnel into your face.  You might ask the automaker whether this is a problem with their other vehicles.  They might tell you that they are not aware of others having the same problem.  However, in the transportation industry they are required to report safety incidents and near-misses.  These reports are collected, aggregated and analyzed by the National Transportation Safety Board (NTSB).  If NTSB notices a trend in airbag-induced shrapnel injuries, they will initiate an investigation.  When NTSB discovers a problem with a specific airbag that is used across multiple types of automobiles, not just the type you purchased in your own state, then they are authorized by Congress to make safety recommendations to help ensure the risk is appropriately managed across the industry.

This insulin dosing incident is one of many health IT-related patient safety risks I have encountered and resolved in collaboration with an EHR vendor.  When my experience is extrapolated to the experiences of all physicians and EHR vendors, the scope of health IT-related patient safety risks can be seen as immense.  But unlike the safety of interstate commerce produced by the auto industry that is overseen by the NTSB, the safety of interstate commerce produced by EHR vendors has no cohesive oversight mechanism.  

The lack of oversight for health IT-related patient safety incidents and near-misses creates a hazardous patient care environment that I believe is urgent for Congress to address. The threat is increasing because the Meaningful Use Program (MU) has led to an exponential increase in the use of EHRs and other technology.   As a result, physicians are assuming a higher level of risk and accountability for computer programs, networks and infrastructures that are increasingly used as tools to generate patient care actions and facilitate medical decisions.  Although health IT-related patient safety risks would best managed through a shared accountability between physicians and EHR vendors, the vendors are not currently held accountable for patient safety.  Furthermore, the aggressive MU timelines have required EHR vendors to make rapid changes to EHRs without sufficient time to align changes with efficient physician workflows or to improve the flow of data between systems.  As a result, EHRs are increasingly plagued by poor usability problems and  lack of interoperability between EHR systems--both of which are patient safety risks that physicians commonly encounter.

So it is time to urge Congress to create a National Health IT Safety Center that can implement an effective EHR safety program designed to reduce EHR-related patient safety risks.  Within this concept EHR vendors could be required to report patient safety incidents and near-misses to the Health IT Safety Center similar to how transportation safety incidents must be reported to the National Transportation Safety Board.   The Health IT Safety Center could collect, aggregate and analyze reported data.   It could have power to investigate incidents involving patient harm and require EHR vendors to make appropriate changes.  It could monitor near-misses to identify trends and risks.  It could coordinate with other agencies to develop and broadly disseminate educational information and tools that mitigate identified patient safety risks related to technology use.  

I also envision that this resolution would lead to an entity that has the authority and influence to drive improvements in EHR usability and

 
 

interoperability, which are the two most significant impediments to effective and meaningful use of electronic medical records.   

 .

 

  

Improved Physician Practice Preparedness To Recover from EMR Downtime and Other Technology Risks is Needed

It should not take 3 weeks to restore an EMR system.  

I was not surprised when one of my colleagues told me his EMR unexpectedly "went down", as there are many threats to hardware and software--wind, fire, water, construction equipment, human error and cyber crimes to name a few.  It was the rest of his story that was so disheartening.  As he recalled the struggles that his group endured for three weeks, his facial expression contorted into what I can best describe as that of "helpless resignation".   The complexities of technology had held him and his group hostage for three weeks.   At the time of our initial discussion he was still in the "grieving" stage, so I felt it to be too early to engage in a healthy discussion about IT risk management.   He needed to vent.   I needed to listen.  

And this story exemplifies what drives me to spend time collaborating with the Texas Medical Association (TMA) and others to raise physician awareness about the safe use of EMRs.   I do not have data, but my gut tells me that the majority of physician practices underestimate how vulnerable they are to EMR threats, especially small physician practices who lack internal IT expertise.  Perhaps the recent rise in ransomware attacks will actually be beneficial.  A ransomware attack on a physician office in South Texas earlier this year has led the TMA to increase communications to physicians about the threat of ransomware and other cyber attacks.    

Until recently the focus of preventive strategies against cyber attacks has been to ensure that the privacy and confidentiality of electronic medical records (EMRs) are maintained.   HIPAA stuff.   And this is understandable since privacy breaches are expensive for a practice to manage, and such breaches have the potential to financially hurt patients if their data is used maliciously.  But ransomware attacks are different because they make a physician's EMR unusable until a ransom is paid (or the EMR is otherwise restored).  Unlike privacy breaches, ransomware attacks are disruptive to the daily operations of the practice.  It is a disruption that impairs the ability to take care of patients who are in the office as well as those who call the office.  At the end of the day the physician is left struggling to take care of patients who are sick without access to information that is really needed.  This is a "new normal" that should brightly illuminate the need for improved disaster recovery preparedness and IT risk management for physician practices.    

There are ways to reduce the threat of ransomware attacks and other health IT risks.  A thorough security risk analysis can identify weaknesses that could be targeted by cyber criminals.  Steps can then be taken to reduce the chances of being victimized.  Establishing a habit of continually identifying and managing these technical risks will further reduce the chances of an EMR shutdown.  

But one of the major obstacles is that physicians generally do not have the knowledge, expertise and time to do this themselves.  Another obstacle is that security risk analyses tools are designed primarily for large healthcare systems and do not translate well onto a small physician practice.  That is why the TMA's ad hoc Health IT Committee is currently collaborating with a vendor, a state agency and one small physician practice to hone down a security risk planning tool into something that would be feasible and effective for small physician practices to adopt.  For now physicians have to rely on consultants or train/hire IT staff to identify and manage technology security risks.

Nevertheless, no system can be 100% "downtime-proofed".  So even if a physician practice adopts best practices for security risk management, they must be prepared for a disaster to strike at any time.  After a disaster strikes, maintaining the ability to effectively care for patients must be the first priority.  I have coined the term, "clinical continuity planning", to characterize this planning.  I base the term on a similar commonly used term, "business continuity planning", which is the plan businesses develop to maintain daily operations during technology downtimes and disasters.  A physician office certainly is a business and should have a business continuity plan to maintain economic viability during disasters.  But the life-and-death nature of patient care is so unique that I believe a clinical continuity plan should be developed by each practice and be considered as the first priority in disaster planning.  Business continuity is integrated with clinical continuity and is also vital to the physician practice, but it should be considered as a lower priority.  In the real world this means that when weaknesses in security and downtime planning are identified, clinical continuity weaknesses should be addressed before business continuity weaknesses are addressed.  
 
The most effective protection against a ransomware attack and other types of "downtime" is to have a complete back up of EMR data and an ability to quickly restore the EMR system.  If the practice can do that, they may not have to pay a ransom, and the impact on patient care can be minimized if the back up and restore tools/processes are effective.  
 
With the rise of ransomware attacks I believe the primary focus of health IT risk management for physician practices should be to ensure an acceptable degree of clinical continuity can be maintained during EMR downtimes.  Secondarily, the practice should understand the tools and processes that are in place to back up and restore the EMR in the event of a disaster.  And to make sure they get tested.    The first time a physician discovers that it will take 3 weeks to restore their EMR should not be after a real disaster strikes.   
 
 
mattmurraycook children's
 mgg
 

Keys to Gain Value from EHR Implementation and Use

Many physicians who use an electronic health record (EHR) are having difficulty realizing value in their investment.   A recent KLAS survey found that more than one out of every four physician practices are so dissatisfied with their EHR that they are considering replacing it.    Although many physician practices have earned a financial award by using an EHR to achieve “meaningful use”,  data is lacking on whether or not such efforts actually improve patient outcomes.  

I believe, anecdotally, that I practice higher quality medicine when using an EHR.    But I am a pediatric emergency medicine physician using a hospital EHR to document patient encounters in a children's hospital's emergency department, not a physician in private practice.  On the other hand, my past experience as a a Chief Medical Information Officer (CMIO) and Chief Information Officer (CIO) for my pediatric healthcare system provided opportunities to visit many private physician offices using a variety of ambulatory EHRs and to visit with many EHR vendors.  I met many physicians  who were happy with their EHRs and see the value.  Others I met were unhappy and see no value in their EHR.  Perhaps my most eye-opening experience came when I visited with a group of unhappy physicians who were using the same EHR as some happy physicians I had met one week earlier.   So what gives?

The answer is simple, but the explanation is complex.  

The simple answer is that the value gained from an EHR is dependent on how effectively it is implemented and used.   When well-implemented and well-used, an EHR provides clinical and financial value.   When poorly-implemented and poorly-used, EHRs detract from patient care and are a financial drain.  

The complex explanation might best be explained using examples.  So, based on my past visits with physicians who use various EHRs and on other personal research, I have created an outline of what I think are the key factors that allow physicians to gain value from their EHR.  I am in the process of writing a series of blogs with case studies to help explain each of these factors.  Stay tuned! 

Keys to Gain Value

 

cook children's

 

Dr. Matt Murray

Cook Children's


Health IT-related patient safety risks should inspire Congress to create a national patient safety board

The idea’s time has come. The U.S. healthcare system needs a national, independent entity empowered by Congress to oversee health IT patient safety. Now.

In today's world a health IT-related patient safety issue that is identified by a physician practice or hospital is investigated and managed in a nontransparent manner by the individual provider and the EHR vendor.  

Although the issue may be escalated to a local accountable care organization (ACO) or patient safety organization (PSO) that providers are increasingly becoming associated with, neither the issue nor the results of the investigation are reported to a statewide or national oversight entity. The patient safety data is therefore not collected, aggregated and analyzed at a state or national level. Without such oversight we are missing out on the opportunity to identify known avoidable health IT risks to patient safety and failing to disseminate knowledge on how to manage those risks. For example, if an issue is resolved at the physician practice between the physicians and EHR vendor but is not addressed at other practices that use the same EHR, then patients at those other practices remain at risk. 

I have observed EHR vendors tune in to patient safety issues more keenly in the past decade and sometimes make more visible efforts to ensure identified issues are addressed with all customers and not just the ones who report issues. And let's be clear that a majority of EHR-related patient safety risks are related to how an EHR product is being used or implemented by their clients and not due to inherent technical flaws with the vendor's product. Nevertheless, patient safety should be viewed as a shared responsibility between the physicians, their practices or organizations and the health IT vendors. Identifying and managing patient safety risks is done most effectively when all cooperate in a team effort.

In Texas there had been discussions within the Texas Medical Association about establishing a central, statewide EHR patient safety entity to monitor and manage health IT-related patient safety issues. The data would be rolled up from hospitals, physician practices and patient safety organizations across the state for aggregation and analysis. However, it became evident during those discussions that it would be feasible and much more beneficial to establish governance at a national level.

So why does this need to be a new, independent national agency charged by Congress to oversee health IT patient safety? 

Today there are many government agencies and private entities that I believe could and should contribute to patient safety surveillance and improvements, but none have the expertise, assets and time that are necessary to coordinate a national effort. In addition to the complexity involved with collecting and analyzing data from hundreds of institutions and PSOs, there are hundreds of unrelated EHR vendor products being used. There is not yet any available registry of health IT products, many of which are subdivided into multiple versions that sometimes vary widely in their available functionality. As a result, I strongly agree with the observations and recommendations described in an article by Singh, Classen and Sittig (J Patient Saf, Dec 2011; 7(4): 169-174) calling for a national patient safety board that is an independent government agency structured similarly to the National Transportation Safety Board. This entity would be charged by Congress to oversee HIT patient safety and coordinate with other agencies who can contribute to improvement in patient safety such as the Office of the National Coordinator, the Federal Drug Administration, the National Institute of Standards and Technology, the Agency for Healthcare Research and Quality, the Center for Medicare and Medicaid Services, the National Quality Forum, local patient safety organizations, local healthcare organizations who collect patient safety data, other local EHR patient safety reporting entities and industrial (EHR and HIT) trade associations. All of these entities need to function in a cooperative fashion in order to effectively identify and manage health IT-related patient safety risks.

The recent health IT report from the Food and Drug Administration Safety Innovation Act (FDASIA Health IT Report) proposes a framework to improve health IT-related safety risks including a proposed National Patient Safety Center. 

I am concerned, however, that the proposal does not appear to provide this entity with enough authority to get the job done effectively. A national patient safety entity must have the authority to not only monitor activity and provide learning opportunities for vendors and providers, but also to regulate activities, investigate events, ensure issue resolution and require compliance. I do not see enough "teeth" given to the entity proposed by the FDASIA report. 

The primary focus of a national Health IT Patient Safety Center should be on the dedicated surveillance of HIT-related safety risks and to promote learning from identified issues, potential adverse events (“close calls”) and adverse events. But it must also have the authority to effectively manage identified risks and ensure compliance with best practices for health IT patient safety.


Ask Not What ICD-10 Can Do For Healthcare, Ask What Healthcare Can Do With SNOMED and ICD-11

ICD-10 is so “last century”.    The United States did not adopt ICD-10 twenty years ago when the standard was first developed.    The current version of ICD-10 that the United States is designated to adopt is based primarily on the international version of ICD-10 that the World Health Organization (WHO) published in 1990.    The international version was drafted by committees that began their work over thirty years ago in 1982 (see 2nd Edition of ICD-10 by WHO).    In other words, our version of ICD-10 is based on work done before use of the rich information space called the Internet became common and before the human genome was mapped.

ICD-11 is “this century”.    According to an article in Healthcare Financing News, Christopher Chute who is one of the leading informatics experts and a Chairman of an ICD-11 Revision Steering Group at the World Health Organization stated:

“ICD-11 will be significantly more sophisticated, both from a computer science perspective and from a medical content and description perspective…. Each rubric in ICD-11 will have a fairly rich information space and metadata around it. It will have an English language definition, it will have logical linkages with attributes to SNOMED, it will have applicable genomic information and underpinnings linked to HUGO, human genome standard representations. ICD-10, as a point of contrast, provides a title, a string, a number, inclusion terms and an index. No definitions. No linkages because it was created before the Internet, let alone the semantic web. No rich information space.”

ICD-x codes are used by non-clinicians for important administrative and financial purposes.    SNOMED-CT, on the other hand, is what physicians will actually use to communicate information about patients in their electronic health records (EHRs).    In fact, physicians must use SNOMED vocabulary in their EHRs, not ICD-x codes, for their problem lists in order to achieve Stage 2 Meaningful Use for incentive payments and to avoid Medicare penalties in the future.    Unlike ICD-10, ICD-11 is based on SNOMED.  And SNOMED includes over 311,000 concepts with unique meanings, making it more granular than ICD-10 or ICD-11.  

One way to think about the relationship is that SNOMED is the input and ICD-x is the output.  SNOMED is used by clinicians to input clinical information into the EHR at a high level of detail.  ICD-10 and ICD-11 aggregate that data into less detailed classifications that are more useful for output purposes such as quality reporting.    They really cannot replace each other.   But we could and should require EHRs to map in the background the SNOMED codes used by physicians into the ICD-x codes used by others.    No need to engage physicians in ICD-x debates or to learn new vocabularies each time WHO does their thing with the U.S. traditionally following way behind.

So what the HIT are we thinking?    Do we really believe that healthcare quality will be significantly improved based on ICD-10 that was developed out of work done over 30 years ago before the Internet was commonly used and before human genome coding was completed?    Or do we believe that we need to adopt ICD-11 for output purposes and to use SNOMED–CT in EHRs for input purposes in order to move the quality needle in the right direction?

I for one believe that we need to get to ICD-11 as soon as possible.     And I believe we should cut the umbilical cord to ICD-10 right now because:

  1. There is currently no information showing that a conversion to ICD-10 is required before ICD-11.
  2. It is intuitively obvious that the costs of going to ICD-11 directly from ICD-9 would be less than incurring the remaining costs of implementing ICD-10 in 2015 (or later) and then implementing ICD-11 sometime thereafter.    And that includes the sunken ICD-10 costs.    If you believe that this is an outrageous assumption, then prove it to be untrue.    Show the comparative costs of both pathways.    But don’t just comment or blog that it’s ridiculous without providing some kind of evidence.     Sometimes it’s wisest to go with intuition.
  3. The ICD-10 implementation has been so painful that it is unlikely the industry will have the stomach to move on to ICD-11 within a decade.    This will result in an excessively long delay to ICD-11 and an excessive period of time using a classification system from the previous century.
  4. There is consensus among leading informatics experts that ICD-11 is superior to ICD-10

 

Matt Murray, MD


AMA Fails To Do Homework on ICD-11 Cost Analysis

The American Medical Association (AMA) failed to complete their homework assignment before concluding in a report that skipping ICD-10 to move directly to ICD-11 is not a feasible option. Just like CMS (see CMS prematurely dismisses the alternative option to forgo ICD-10 and implement ICD-11), the AMA failed to compare the total cost of implementing ICD-10 and then implementing ICD-11 to the total cost of foregoing ICD-10 to implement ICD-11 sooner. To make matters worse, the AMA's report openly states that they only performed a preliminary assessment of the feasibility of moving from ICD-9 directly to ICD-11.   Since when does one draw a final conclusion based on a preliminary assessment?  

Several statements in the report lead me to believe that the AMA prematurely issued this report without performing a comprehensive analysis in order to maintain political relationships with other healthcare stakeholders.    For example, the AMA states that "while many physicians have concerns about the costs and burden of ICD-10, there are many other stakeholders, including 24 government agencies, researchers, large payers, large health system providers, and public health entities, that support the conversion."    OK, let's think about that...the AMA acknowledges that physicians are concerned about the costs, and yet they offer no comparative analysis of the costs. Which relationships have the appearance of being more important to the AMA in this case:  physicians or others?

The AMA states that "stakeholders have already invested millions towards the adoption of ICD-10."   This is certainly true, but I do not see these sunken costs as an obvious reason to eliminate the ICD-11 option. Instead, I see these costs as one of the important variables in a simple equation:

x= total cost of ICD-10 implementation + total cost of ICD-11 (two complete implementations)

y=sunken cost of ICD-10 work + total cost of ICD-11 (one complete implementation + sunken cost of partial implementation)

Is x greater than or less than y?   As a physician I expect my professional organization to actually do the math before writing down an answer.  

And finally, the AMA makes an argument for ICD-10 because "some have speculated" that it could take 20 years to implement ICD-11.   This is really quite embarrassing, as even CMS stated in their  ICD-10 final rule that ICD-11 could be implemented as early as 2020.   In a recent  Health Affairs report informatics experts speculate that an accelerated ICD-11 implementation could occur in 5-7 years, and they are in agreement that we need to transition to ICD-11 sooner than 20 years from now.

I recognize AMA as a strong advocate for physicians, but I give the organization an "F" on this homework assignment.   


Vendors Can Raise EHR Safety, Lower Business Risks Through Patient Safety Organizations

Physicians are disturbed when patient care is put at risk due to a problem caused by their use of an electronic health record (EHR).    Although they will generally tolerate the situation when their reported problem is effectively managed in a transparent manner, there are a number of situations that engender scorn for their vendor.   The most common scorn-generating situation is when they feel that the patient safety issue they reported has not received a high enough priority from their vendor.   These situations should, and often do, resolve when the doctor and vendor communicate a clear understanding of the problem and circumstances.  

But it is another situation that I think is much more frustrating.   A physician’s expectation is that EHR vendors respond to patient safety issues in the same manner physicians respond to adverse medical events.   Physicians engage in peer review activities to not only analyze and resolve a specific adverse event, but also determine a plan that reduces the risk of the adverse event happening again.  The most common peer review activities provide legal protections from discovery which promotes transparency and more effective management of the problem.  Physicians analogously expect EHR vendors to not only fix their problem, but also to transparently fix it for all other physicians using their product.   This puts EHR vendors in a quandary because the legal protections of peer review activities extended to physicians are not extended to EHR vendors.  

Resolving this problem will require assistance from the federal and state governments.    Along those lines the Office of the National Coordinator for Health Information Technology (ONC) published a Health IT Safety Plan on December 21, 2012, and is accepting public comments on it until February 4, 2013.   I believe the most important aspect of this plan is the development and use of patient safety organizations (PSOs) to identify, aggregate, and analyze health IT safety events and hazard reports.    

The aviation industry continually improves passenger safety by engaging pilots in self-reporting of errors and dangerous conditions through an offer of immunity from sanctions.   The federal Patient Safety Act of 2005 provides an analogous environment allowing physicians in the outpatient setting to voluntarily report and share quality and patient safety information to AHRQ-certified PSOs without fear of legal discovery.   Most physicians are familiar with the secure nature of communications when they are involved in hospital quality improvement activities.    The information, documents, discussions and committee reports generated under the hospital’s umbrella of quality programs are held confidential and privileged.   Privileged communications cannot be disclosed and used in medical litigation without consent.   PSOs offer an analogous umbrella of protection for physicians in the ambulatory setting.    Physicians may voluntarily report patient safety issues or quality data from their outpatient practices to a PSO on a privileged and confidential basis.    The PSO can aggregate and analyze information from multiple physicians and healthcare entities to help identify, prioritize and reduce hazards that impede quality care.

The legal protections offered to physicians through PSOs are not currently extended to EHR vendors. They should be, and I will endorse that change in my comments to ONC’s Health IT Safety Plan.   But even without this change there are ways for EHR vendors to safely engage with PSOs today.    Let’s consider one such scenario:

Fictional scenario:  Community physicians and several EHR vendors are associated with the same patient safety organization (PSO). Dr. X is one of the physician members and his EHR vendor, VendorZ, is an analytical contractor with the PSO. After entering a digoxin dose in his EHR’s Medication Reconciliation screen, Dr. X discovered that the dose displays with a misplaced decimal point on the Medication History screen. He reports this dangerous dosing error to his PSO as a patient safety issue. The PSO notifies VendorZ. VendorZ begins working with Dr. X’s office to resolve the issue. Because VendorZ is an analytical contractor with the PSO to which this patient safety issue was reported, the reported problem, analyses, results and recommendations are confidential and privileged. When a solution is identified, there is no legal threat that disincentivizes the PSO or VendorZ to withhold this known problem and solution from other physicians in the PSO who use the same EHR. The PSO notifies all of those physicians who are members of the PSO and proactive work is done to prevent this same problem from harming patients in other practices.

EHR vendors are not inclined to openly discuss EHR problems when there is the threat of litigation against them for doing so, similar to fears physicians have with discussions of their own medical errors.   But this fictional scenario exemplifies one plausible way for EHR vendors and physicians to collaborate on health IT risks today under the protective umbrella of PSOs.

As stewards of safe, quality care physicians should have a basic understanding of PSOs and carefully consider opportunities that arise to engage with a PSO on initiatives to improve outpatient care in their community.   EHR vendors should demonstrate a similar stewardship by helping educate physicians about PSOs and engaging with physicians through PSOs to improve the safety of their EHR products.


CMS Decision on ICD-10 Spurns Optional Path to ICD-11 Without Comparing Value

 

"The decision to mandate ICD-10 for covered entities has already been made."  

This response in the ICD-10 final rule published last Friday by the Department of Health and Human Services (HHS) bluntly spurns the option of foregoing ICD-10 to implement ICD-11.   HHS predictably argues that the considerable investments already made by healthcare organizations into ICD-10, the years of rulemaking with previous analyses of ICD-10 value/costs and the "uncertainties" over the timeline and value of ICD-11 all justify a decision to eliminate ICD-11 as an option.  

I am disappointed that HHS made no estimates on the comparative value of ICD-10 to ICD-11.   Instead of comparing the total cost of proceeding with ICD-10 and then implementing ICD-11 to the total cost of foregoing ICD-10 to implement ICD-11, HHS candidly explains that "we do not participate in this debate in this rule, except to say that we are convinced of the benefit of ICD-10 to health care delivery in this country."  There clearly was no intent to revisit a previous decision to implement ICD-10, even though there is an opportunity to gather and analyze new information to assure we make an informed decision on the optimal pathway to an inevitable ICD-11 implementation. 

The final rule dismisses the call from several commenters on the proposed rule for an analysis of the total costs of the two pathways to an ICD-11 implementation.   One argument made against such an analysis is that the "the disruption and costs of transitioning to ICD-11 are highly unlikely to be less those of transitioning to ICD-10."  I agree that each individual implementation may have comparable costs, but that does not compare the cost of the two pathways which are: 

  1. Implement ICD-10, then implement ICD-11 (two complete implementations)
  2. Forego ICD-10 to implement ICD-11 (one implementation + sunken ICD-10 investments)

What is the comparable cost of each pathway? A comparison of the cost and benefits could have a significant impact on the decision.  Let's learn from this for next time. 

By the way, there will soon be a next time.  I fear that this decision locks the U.S. into another cycle of the same-- using a diagnosis coding system that rapidly becomes archaic and leads to another decade of desperate efforts into the 2030s to upgrade after the rest of the world has already transitioned to ICD-11.

I also fear that that the burden will be excessive on healthcare organizations in 2014 to implement ICD-10 and meet the 2014 Stage 2 Meaningful Use requirements which were both announced by CMS this week.   This burden will be greatest on the small, individual physician practices are already throttled by meaningful use, 5010, e-prescribing and healthcare reform.  They are struggling to find the time and resources for the ICD-10 effort. Since the EHR Incentive Program has a specified timeline under ARRA, I believe this excessive burden is likely to trigger another delay of ICD-10, at least for small physician practices.  

Will we be left wondering why we didn't just stop investing in ICD-10 back in 2012?


New Texas Privacy Law Increases Physician Liability Including Heftier Enforcement Penalties

As discussed in my post "New Texas Privacy Law Increases Privacy Protections and Physician Cyber Liability Risks", House Bill 300 (HB 300) strengthens protection of patients' electronic health information in Texas beyond HIPAA and becomes effective on September 1, 2012.   In a series of weekly blogs I am writing to illustrate how these stronger patient protections increase physicians' cyber liability.  Consider this case history:

An unencrypted USB drive used to store PHI could not be found in the office.   It contained data on 1,105 patients including names, diagnosis codes and Social Security numbers.   The physician subsequently notified all affected individuals and local media, added technical safeguards of encryption for all PHI stored on mobile devices, added physical safeguards by keeping new portable devices locked in a secure combination safe in doctor’s private office when not in use and added administrative safeguards including annual privacy training of staff. 

For breaches affecting >500 individuals HIPAA requires physicians to notify not only the affected individuals, but also local media outlets and the Department of Health and Human Services (HHS) who then posts breach information on their website.    However, if the PHI was encrypted, then it is not considered to be a violation and no notification is required.    The privacy violation in this case would have been avoided by either encrypting the thumb drive (a technology-based prevention strategy) or by not downloading PHI to a mobile device (an employee training-based prevention strategy).   

HB 300 privacy protections are enforced through penalties, disciplinary actions and audits that are intended to deter breaches.   Several factors are considered when determining the consequences of a breach including the seriousness of violation, compliance history, harm done to individuals and efforts made to correct violations.  Civil penalties may be assessed for each violation up to:

  • $5,000 if committed negligently
  • $25,000 if committed knowingly or intentionally
  • $250,000 if committed intentionally and PHI is used for financial gain
  • $1.5 million if a “pattern of practice” found

Physicians should also consider purchasing cyber liability insurance (or increasing current liability limits) and consulting with their Regional Extension Center, such as the North Texas Regional Extension Center (NTREC), about assistance with security risk analysis and management.

cook children


Texas Privacy Laws Provide Patients Stronger Rights to Access Electronic Health Record Than HIPAA

As discussed in my post "New Texas Privacy Law Increases Privacy Protections and Physician Cyber Liability Risks", Texas House Bill 300 (HB 300) strengthens protection of patients' electronic health information in Texas beyond HIPAA and becomes effective on September 1, 2012.  Through a series of blogs I am illustrating a variety of these new protections. Today we contrast a patient's right to access their electronic health record (EHR) under HIPAA against HB 300 requirements in Texas. Case history:

A patient alleged that a physician failed to provide him access to his electronic medical record within 30 days of a written request as required by HIPAA. After the Office of Civil Rights (OCR) notified the physician of this allegation, he provided the records but charged the patient a $100.00 “administrative fee” because the patient was delinquent on bills. HIPAA permits only a reasonable cost-based fee (copying and postage) with an explanation or summary if agreed to by the individual. To resolve this matter, the physician refunded the $100.

When state and federal privacy laws diverge, the more protective law prevails.  In Texas HB 300 combined with other state laws are more protective than HIPAA such as with a patient’s right to access their electronic health records (EHRs). HB 300 mandates physicians who use EHRs to provide patients the requested record in electronic form not later than 15 business days after receiving a written request unless there is an allowable exception.   The EHR may be provided in another format if the physician’s EHR is incapable of producing an electronic copy or if agreed upon by the patient in advance.  Physicians in Texas should align with HB 300 by revising policies on patient access to their EHR and updating their Privacy Notice as needed.

Physicians should also consider purchasing cyber liability insurance (or increasing current liability limits) and consulting with their Regional Extension Center, such as the North Texas Regional Extension Center (NTREC), about assistance with security risk analysis and management.

More on other HB 300 provisions next week...

cook children's