[House Hearing, 111 Congress]
[From the U.S. Government Publishing Office]
STANDARDS FOR HEALTH IT:
MEANINGFUL USE AND BEYOND
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON TECHNOLOGY AND INNOVATION
COMMITTEE ON SCIENCE AND TECHNOLOGY
HOUSE OF REPRESENTATIVES
ONE HUNDRED ELEVENTH CONGRESS
SECOND SESSION
__________
SEPTEMBER 30, 2010
__________
Serial No. 111-112
__________
Printed for the use of the Committee on Science and Technology
Available via the World Wide Web: http://www.science.house.gov
______
U.S. GOVERNMENT PRINTING OFFICE
58-489 WASHINGTON : 2010
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202�09512�091800, or 866�09512�091800 (toll-free). E-mail, [email protected].
COMMITTEE ON SCIENCE AND TECHNOLOGY
HON. BART GORDON, Tennessee, Chair
JERRY F. COSTELLO, Illinois RALPH M. HALL, Texas
EDDIE BERNICE JOHNSON, Texas F. JAMES SENSENBRENNER JR.,
LYNN C. WOOLSEY, California Wisconsin
DAVID WU, Oregon LAMAR S. SMITH, Texas
BRIAN BAIRD, Washington DANA ROHRABACHER, California
BRAD MILLER, North Carolina ROSCOE G. BARTLETT, Maryland
DANIEL LIPINSKI, Illinois VERNON J. EHLERS, Michigan
GABRIELLE GIFFORDS, Arizona FRANK D. LUCAS, Oklahoma
DONNA F. EDWARDS, Maryland JUDY BIGGERT, Illinois
MARCIA L. FUDGE, Ohio W. TODD AKIN, Missouri
BEN R. LUJAN, New Mexico RANDY NEUGEBAUER, Texas
PAUL D. TONKO, New York BOB INGLIS, South Carolina
STEVEN R. ROTHMAN, New Jersey MICHAEL T. McCAUL, Texas
JIM MATHESON, Utah MARIO DIAZ-BALART, Florida
LINCOLN DAVIS, Tennessee BRIAN P. BILBRAY, California
BEN CHANDLER, Kentucky ADRIAN SMITH, Nebraska
RUSS CARNAHAN, Missouri PAUL C. BROUN, Georgia
BARON P. HILL, Indiana PETE OLSON, Texas
HARRY E. MITCHELL, Arizona
CHARLES A. WILSON, Ohio
KATHLEEN DAHLKEMPER, Pennsylvania
ALAN GRAYSON, Florida
SUZANNE M. KOSMAS, Florida
GARY C. PETERS, Michigan
JOHN GARAMENDI, California
VACANCY
------
Subcommittee on Technology and Innovation
HON. DAVID WU, Oregon, Chair
DONNA F. EDWARDS, Maryland ADRIAN SMITH, Nebraska
BEN R. LUJAN, New Mexico JUDY BIGGERT, Illinois
PAUL D. TONKO, New York W. TODD AKIN, Missouri
HARRY E. MITCHELL, Arizona PAUL C. BROUN, Georgia
GARY C. PETERS, Michigan
JOHN GARAMENDI, California
BART GORDON, Tennessee RALPH M. HALL, Texas
HILARY CAIN Subcommittee Staff Director
MEGHAN HOUSEWRIGHT Democratic Professional Staff Member
TRAVIS HITE Democratic Professional Staff Member
MATT McMAHON Democratic Professional Staff Member
JULIA JESTER Republican Professional Staff Member
VICTORIA JOHNSTON Research Assistant
C O N T E N T S
September 30, 2010
Page
Witness List..................................................... 2
Hearing Charter.................................................. 3
Opening Statements
Statement by Representative David Wu, Chairman, Subcommittee on
Technology and Innovation, Committee on Science and Technology,
U.S. House of Representatives.................................. 8
Written Statement............................................ 9
Statement by Representative Adrian Smith, Ranking Minority
Member, Subcommittee on Technology and Innovation, Committee on
Science and Technology, U.S. House of Representatives.......... 10
Written Statement............................................ 10
Witnesses:
Dr. David Blumenthal, National Coordinator for Health Information
Technology, Office of the National Coordinator, U.S. Department
of Health and Human Services
Oral Statement............................................... 11
Written Statement............................................ 13
Biography.................................................... 17
Ms. Kamie Roberts, Associate Director for Federal and Industrial
Relations, Information Technology Laboratory, National
Institute of Standards and Technology
Oral Statement............................................... 17
Written Statement............................................ 19
Biography.................................................... 22
Ms. Joyce Sensmeier, Vice President, Informatics, Healthcare
Information and Management Systems Society
Oral Statement............................................... 23
Written Statement............................................ 25
Biography.................................................... 31
Dr. Richard Gibson, President, Oregon Health Network
Oral Statement............................................... 31
Written Statement............................................ 33
Biography.................................................... 38
Ms. Deven McGraw, Director of the Health Privacy Project, Center
for Democracy and Technology
Oral Statement............................................... 39
Written Statement............................................ 41
Biography.................................................... 47
Ms. Deb Bass, President and CEO, Bass & Associates Inc.
Oral Statement............................................... 48
Written Statement............................................ 50
Biography.................................................... 51
Appendix 1: Answers to Post-Hearing Questions
Dr. David Blumenthal, National Coordinator for Health Information
Technology, Office of the National Coordinator, U.S. Department
of Health and Human Services................................... 64
Ms. Kamie Roberts, Associate Director for Federal and Industrial
Relations, Information Technology Laboratory, National
Institute of Standards and Technology.......................... 69
Ms. Joyce Sensmeier, Vice President, Informatics, Healthcare
Information and Management Systems Society..................... 70
Dr. Richard Gibson, President, Oregon Health Network............. 71
Ms. Deven McGraw, Director of the Health Privacy Project, Center
for Democracy and Technology................................... 72
Appendix 2: Additional Material for the Record
Letter to Charlene M. Frizzera, Acting Administrator, Centers for
Medicare and Medicaid Services, Department of Health and Human
Services, from Susan M. Walthall, Acting Chief Counsel
Advocacy, and Linwood L. Rayford III, Assistant Chief Counsel
for Food, Drug, and Health Affairs, Small Business
Administration, dated March 15, 2010, Submitted by
Representative Paul C. Broun................................... 74
STANDARDS FOR HEALTH IT: MEANINGFUL USE AND BEYOND
----------
THURSDAY, SEPTEMBER 30, 2010
House of Representatives,
Subcommittee on Technology and Innovation,
Committee on Science and Technology,
Washington, DC.
The Subcommittee met, pursuant to call, at 10:18 a.m., in
Room 2318 of the Rayburn House Office Building, Hon. David Wu
[Chairman of the Subcommittee] presiding.
hearing charter
COMMITTEE ON SCIENCE AND TECHNOLOGY
SUBCOMMITTEE ON TECHNOLOGY AND INNOVATION
U.S. HOUSE OF REPRESENTATIVES
Standards for Health IT:
Meaningful Use and Beyond
thursday, september 30, 2010
10:00 a.m.-12:00 p.m.
2318 rayburn house office building
I. PURPOSE
The integration of information technology (IT) with health care has
the potential to improve patient care and lower escalating health care
costs. Standards that enable interoperability among products developed
by different vendors, as well as standards to ensure the privacy and
security of electronic health care information, are central to
realizing the benefits of health IT. In 2009, with the passage of the
American Recovery and Reinvestment Act, Congress created programs and
incentives to help speed the adoption of health IT, including measures
to ensure the establishment of technical standards.
The purpose of this hearing is to examine the progress by the
Department of Health and Human Services, the National Institute of
Standards and Technology, and non-governmental health IT stakeholders
in establishing standards for health IT, providing guidance for their
implementation, and creating a mechanism to certify that health IT
products comply with the established standards. Witnesses will also
discuss future priorities for ensuring the interoperability of health
IT systems, and the privacy and security of electronic health
information.
II. WITNESSES
Dr. David Blumenthal, National Coordinator for Health
Information Technology, Office of the National Coordinator,
U.S. Department of Health and Human Services
Ms. Kathleen M. Roberts, Associate Director for
Federal and Industrial Relations, Information Technology
Laboratory, National Institute of Standards and Technology
Ms. Joyce Sensmeier, Vice President, Informatics,
Healthcare Information and Management Systems Society
Dr. Dick Gibson, President, Oregon Health Network
Ms. Deven McGraw, Director of the Health Privacy
Project, Center for Democracy and Technology
Ms. Deb Bass, President and CEO, Bass & Associates,
Inc.
III. BRIEF OVERVIEW
Despite the potential benefits of health IT and electronic health
records (EHRs) in lowering health care costs and improving patient
care, the health care industry has been relatively slow to incorporate
information technology into the delivery of medical services. The lack
of established standards for health IT has been a key challenge
hindering wider adoption of this technology. Standards ensure that
information can be exchanged seamlessly between software and hardware
devices developed by different vendors or put on the market at
different times.
Through the HITECH Act [Title XIII of the American Recovery and
Reinvestment Act (ARRA), P.L. 111-5], Congress created programs and
incentives to encourage health IT adoption. In addition, the Act
provided a mechanism to establish technical standards, and further
provided that any health IT products purchased with ARRA funds must
comply with standards established by the Department of Health and Human
Services (HHS). With guidance from several advisory committees, HHS
issued a final rule in July of this year identifying the standards that
would support the first stage of Medicare incentive payments for health
IT products (termed ``meaningful use'' requirements).
The initial standards established by HHS provide an important
baseline of functionality for health IT products. However, many
standards-related issues have not yet been fully addressed. To ensure
the seamless exchange of health information among authorized entities
and realize the full benefit of health IT, the health care community
will need robust standards and related products for interoperability.
In addition, the standards process will require coordination to ensure
that standards developers are able to support the needs of the health
care community as health IT technology evolves. Finally, baseline
national privacy and security policies could help health IT developers
and users alike maximize the benefits of the technology.
IV. BACKGROUND
The Role of IT in Health Care
Studies and statistics show that a lack of ease in information
exchange and communication contributes to medical errors and
duplicative tests, and other wasteful practices. For instance, one
study found that nearly one out of every five doses of medication given
in typical hospitals or skilled nursing facilities was somehow in
error. Most often, the medication was delivered at the wrong time, but
other times the dosage was wrong or the incorrect medication was
administered altogether. The study, in the Archives of Internal
Medicine, further explained that these errors were harmful to the
patient in 7 percent of cases (40 per day in a 300 patient facility)
\1\. Other studies have found that miscommunication between doctors,
patients, and others involved in patient care was a major factor in 80
percent of medical errors.\2\ Health IT could help medical
professionals, and their patients, manage complex or chronic
conditions, identify harmful drug interactions or possible allergies,
and provide other care support tools.
---------------------------------------------------------------------------
\1\ Barker, et al. 2002 Medication Errors Observed in 36 Health
Care Facilities, Archives of Internal Medicine.
\2\ Woolf, et al. 2004 A String of Mistakes: The Importance of
Cascade Analysis in Describing, Counting, and Preventing Medical
Errors, Annals of Family Medicine.
---------------------------------------------------------------------------
Adoption of health care IT is also widely seen as a way to stem the
rising costs of health care. According to a report issued by the
National Academies, an estimated half-trillion dollars per year is
associated with ``overuse, underuse, misuse, duplication, system
failures, unnecessary repetition, poor communication, and
inefficiency.'' \3\ Although estimates vary on the actual savings that
could be expected from health IT, a study published in Health Affairs
estimated that a fully interoperable, national health IT network could
save $77.8 billion a year, equal to 5 percent of annual U.S. health
care spending.\4\ In addition to reducing costs associated with medical
errors, health IT could enable other cost-saving measures such as
prompting physicians to prescribe generic drugs or making tests results
more readily available, thus avoiding duplicative tests.
---------------------------------------------------------------------------
\3\ Report by the National Academies, 2005 Building a Better
Delivery System: A New Engineering/Health Care Partnership
\4\ Walker, et al. 2005 The Value of Health Care Information
Exchange and Interoperability, Health Affairs.
Adoption of IT by the Health Care Industry and Technical Standards
The health care industry has been slow to adopt health IT, despite
its potential impact. A study published in June of 2008 found that only
4 percent of U.S. physicians had a fully functional electronic health
records (EHRs) system, which the authors defined as an EHR system with
broad range of capabilities including clinical order entry and clinical
decision support. Thirteen percent of those surveyed in the study used
a basic EHR, which the study described as one with a minimum set of
functionalities, such as recoding laboratory data and clinical notes
and electronic prescribing.\5\
---------------------------------------------------------------------------
\5\ DesRoches, et al. 2008 Electronic Health Records in Ambulatory
Care--A National Survey of Physicians, The New England Journal of
Medicine
---------------------------------------------------------------------------
One of the key barriers to wider adoption of health IT has been the
lack of robust, widely-accepted technical standards. To realize the
benefits of health IT, systems must be interoperable, allowing data
systems, medical devices, and software from different vendors to share
EHRs, as well as electronic physician orders for lab tests and drug
prescriptions, electronic referrals to specialists, electronic access
to information about current treatment recommendations and research
finding, and other capabilities. In addition to the need for standards
to ensure that disparate systems are interoperable, standards are
needed to meet data security and privacy requirements to enable
compliance with federal and state patient privacy laws.
The Science and Technology Committee held hearings on health IT in
the 109th and 110th Congresses. During those hearings, witnesses
identified the lack of common standards as one of the challenges facing
greater health IT adoption. Witnesses claimed that, without these
standards, health care providers would not have a reasonable guarantee
that the systems they purchase will be able to exchange information
with systems that are currently in use, or that may be installed in the
future. At the hearing held in September of 2007, witnesses agreed that
NIST should assist HHS in efforts to establish standards for health IT.
NIST is the Federal Government's lead agency for supporting the
development of technical standards and conformance testing, and has a
long history of working with the private-sector, federal agencies, and
other stakeholders to develop consensus-based standards in fields such
as electronic commerce, manufacturing, and information security.
HITECH Act
Congress passed the HITECH Act as part of the American Recovery and
Reinvestment Act (ARRA) in 2009. The HITECH Act established programs
and incentives to boost the rate of adoption of health IT systems. It
also codified the Office of the National Coordinator for Health
Information Technology (ONCHIT) \6\ and strengthened provisions
pertaining to privacy and security of electronically stored and
exchanged health information in federal law. The HITECH Act gave ONCHIT
the role of overseeing the establishment of standards and a
certification process for health IT technology, guided by
recommendations from two Federal Advisory Committees--the Health IT
Policy Committee and the Health IT Standards Committee--on the
``implementation of a nationwide health IT infrastructure.''
---------------------------------------------------------------------------
\6\ Federal efforts to encourage widespread health IT adoption
began in 2004 when President Bush signed an executive order creating
the Office of the National Coordinator for Health IT (ONCHIT) within
HHS, and stated the goal of widespread EHR adoption within 10 years.
ONCHIT initiated a number of activities, including work on standards
and certification.
---------------------------------------------------------------------------
The HITECH Act charged the HIT Policy Committee with providing
recommendations on areas in need of standards, implementation
specifications, and certification criteria. The Act further charged the
Health IT Standards Committee with ``develop[ing], harmoni[zing], and
recogni[zing]'' standards and related material, and providing
recommendations on these for consideration by ONCHIT and HHS. The
HITECH Act directs the ONCHIT to ensure that federal funds expended
toward health IT technology go toward certified EHR technology that
incorporates the standards and capabilities developed by the Policy and
Standards Committees, and promulgated by HHS.
The HITECH Act also directs NIST to test the standards,
implementation specifications, and certification criteria that emerge
from the ONCHIT standards process. Additionally, the HITECH Act charges
NIST with developing a conformance testing infrastructure, including
creating technical test beds, and provided NIST with $20 million to
develop this infrastructure. Conformance testing is necessary to ensure
that the health IT products meet all of the requirements of the
standards and that the standards are correctly implemented. To date,
HHS has approved three testing and certification bodies and product
certification is expected to begin shortly. In addition to supporting
HHS with health IT testing and certification, NIST has assisted HHS
with establishing security standards and guidance for health IT
products.
Since the passage of the HITECH Act, much of the work of the two
advisory committees has focused on providing recommendations to the
ONCHIT regarding ``meaningful use.'' Under the HITECH Act, medical
providers are entitled to apply for Medicare incentive payments
beginning in 2011 if they adopt EHRs for their patients and meet
certain requirements. Finalized in July of this year, these include 15
``core set'' requirements and 10 ``menu set'' options. Meaningful users
must meet the 15 core requirements and at least 5 of the menu set
options. Core set requirements include using an EHR to record smoking
status for 50 percent of patients 13 years of age or older and to
maintain an active medication list for 80 percent of patients. The core
set includes only one requirement related to data exchange--users must
perform at least one test of an EHR's capacity to electronically
exchange information. The menu set options include using health IT
systems to generate a listing of patients with a specific condition or
to perform at least one test data submission of immunization data to
immunization registries. As specified in the HITECH Act, requirements
will be added for future stages of meaningful use.\7\
---------------------------------------------------------------------------
\7\ Providers who become meaningful users of EHRs beginning in 2011
are entitled to Medicare incentive payments. For providers adopting
EHRs in 2014, no incentive payments will be provided. By 2015,
providers not using EHRs will be penalized through reductions on
Medicare payments. Additional requirements will be added in later
stages of meaningful use. Note, there is a corresponding timeline for
providers who become meaningful users under the Medicaid incentive
program.
---------------------------------------------------------------------------
In addition to specifying the basic functionality for certified
EHRs, the final rule also included the standards, implementation
specifications, and certification criteria required to be met by all
certified EHRs.
National Health Information Network
In 2005, HHS began developing a National Health Information Network
(NHIN). It was conceived of as a ``network of networks'' that would
allow for the secure exchange of health information among health care
providers. In 2007, HHS awarded contracts totaling $22.5 million to
nine health information exchanges (HIEs) to begin trial implementation
of the NHIN.
ONCHIT has continued work on developing standards and policies for
a national health information exchange, whose core capabilities include
the ability to look up, retrieve, and securely exchange health
information; the ability to apply consumer preferences for sharing
information; and the ability to apply and use the NHIN for other
business capabilities as authorized by the health care consumer. ONCHIT
has continued work on the NHIN, and is now also working on the NHIN
Direct project, which will include standards, policies, and services to
enable the transport of medical records between authorized providers.
Privacy and Security
A number of state and federal laws and regulations cover the
confidentiality of personal health information. On the federal level,
the privacy and security of medical information is protected by the
Health Information Portability and Accountability Act (HIPPA). The
HITECH Act expanded upon the HIPAA requirements with stricter
enforcement mechanisms, requirements for breach notification, and the
expansion of the privacy and security regulations to cover business
associates of the health care provider.\8\ The HITECH Act also required
HHS to issues guidance on ``technologies and methodologies that render
protected health information unusable, unreadable, or indecipherable to
unauthorized individuals.'' Covered entities that follow the guidance
issued by HHS but still suffer a security breach are not subject to the
breach notification requirements or the stricter penalties enacted in
the HITECH Act.
---------------------------------------------------------------------------
\8\ Relevant business associates include business partners of the
provider that may provide various services, such as accounting or
management, wherein individually identifiable health information is
disclosed.
---------------------------------------------------------------------------
The meaningful use requirements give guidance on technologies and
methodologies (such as encryption) to protect data. They also require
users of health IT systems to perform a risk analysis to determine the
nature and likelihood of threats, and to base their security measures
on this analysis while considering the cost and complexity of needed
security infrastructure.
V. ISSUES & CONCERNS
The standards adopted by HHS for meaningful use are an important
step in establishing recognized standards for health IT systems and
EHRs. However, while the standards provide a layer of commonality among
health IT products, the final rule included only minimal provisions
concerning interoperability.
At the same time, throughout the country, medical providers and
states are developing electronic health information exchange networks,
as well as pursuing other health IT projects. The Federal Government is
also pursuing the NHIN and NHIN Direct projects. It is unclear whether,
and to what extent, the standards-related components of these efforts
are being coordinated to ensure interoperability in the future.
HHS has recently released an initial standards and interoperability
framework. This framework will presumably guide the coordination of
future standards activities, including harmonization, development,
testing, and priority setting. However, HHS has not yet clearly
described how it will maintain the transparency and stakeholder input
that is an important component of the standards setting and development
process. In addition, the framework does not specify how HHS will
continue to work with NIST on health IT standards.
The HITECH Act strengthened privacy and security protections for
patient information by requiring breach notification of readable data
and implementing stricter penalties for the disclosure of personal
health information. However, there is little federal guidance beyond
HIPAA for implementing these stricter privacy and security measures.
For example, no guidance exists on the federal level on whether
individuals must opt-in to or opt-out of an electronic health exchange,
or on the granularity, or degree, of patient consent needed to disclose
certain types of health information. These are policy questions, often
subject to individual state rules, but they impact the technology
solutions that will be needed by health care providers. In addition,
while the security measures adopted for EHRs allow for flexible
implementation, they may prove challenging to implement, particularly
among small practices.
Chairman Wu. The hearing will now come to order. Thank you
all very much for being here today.
I would like to recognize that there is a group of high
school students from Beijing, China, with us today. Thank you
very much for being here, and I hope that you find this
experience edifying for your future studies.
And I thank the witnesses for being here and for traveling,
in some instances, long distances.
In the Internet age, most of us take for granted being able
to rapidly and seamlessly share information with someone across
town, in another state or on the other side of the world. We
also take for granted the ubiquitous integration of information
technology in our workplace and in many other aspects of our
lives.
In contrast, the health care industry is still surprisingly
paper-based and is largely unaided by information technology.
Medical treatment in this country often involves state-of-the-
art technology. However, physicians and other health care
providers have been slow to adopt health IT systems and
electronic health records--or EHRs--and are still keeping track
of our medical information the same way it has been kept
historically.
The use of information technology has real-world
implications for the cost and quality of health care.
Currently, providers may order a duplicative test because
previous test results from another provider are not readily at
hand, or they may miss a harmful drug interaction because a
patient's full prescription drug record is not available.
According to most estimates, a fully interoperable health IT
system could save us billions of dollars in health care costs
each year. In addition, greater use of information technology
could prevent some of the medical errors that, as reported by
the National Academies, are responsible for the deaths of
approximately 98,000 people each year.
A key barrier to broader integration of health IT systems
has been the lack of technical standards to support
interoperability and protect data and privacy. Many physicians,
particularly those in small practices where most Americans get
their health care, are hesitant to take on the considerable
expense of a health IT system that without common standards may
not work with the systems of a neighboring health care provider
or may become prematurely obsolete.
This is the third hearing the Science and Technology
Committee will have held on health IT standards since the 109th
Congress. I am very eager to hear about the progress we have
made on standards, especially since the implementation of the
HITECH Act. In that Act, Congress included a directive to the
federal agencies before us today to establish health IT
standards and develop related measures to enable different
manufacturers and vendors to produce software and other devices
that will work with other products on the market today, as well
as tomorrow.
Given the complexity of our healthcare system, with its
myriad of players and large number of state and federal laws
governing personal medical information, the HITECH Act charged
the Office of the National Coordinator with a very difficult
task. From all reports, the National Coordinator has done an
admirable job meeting tight deadlines and navigating the needs
of many stakeholders. NIST has also played an important role,
lending to HHS its extensive expertise in standards, testing,
and certification.
However, as I am sure we will discuss today, we still have
a long way to go in promoting interoperability, coordinating
the many health IT projects underway, governing the standards
development process and providing direction on privacy and
security. Modernizing our health care system with information
technology is imperative for lowering health care costs and
improving patient care, and I look forward to hearing the
thoughts and recommendations of the witnesses today on how we
will successfully meet these challenges.
Chairman Wu. Now I would like to recognize the Ranking
Member, Mr. Smith, for his opening statement.
[The prepared statement of Chairman Wu follows:]
Prepared Statement of Chairman David Wu
Good morning. I would like to welcome everybody to today's hearing
on healthcare information technology.
In the Internet age, most of us take for granted being able to
rapidly and seamlessly share information with someone across town, in
another state, or on the other side of the world. We also take for
granted the ubiquitous integration of information technology in our
workplace and in many other aspects of our daily lives.
In contrast, the health care industry is still surprisingly paper-
based and largely unaided by information technology. Medical treatment
in this country often involves state-of-the-art technology. However,
physicians and other health care providers have been slow to adopt
health IT systems and electronic health records--or EHRs--and are still
keeping track of our medical information the same way they were 50
years ago.
The use of information technology has real-world implications for
the cost and quality of health care. Currently, providers may order a
duplicative test because previous test results from another provider
are not readily at hand, or they may miss a harmful drug interaction
because a patient's full prescription drug record is not available.
According to most estimates, a fully interoperable health IT system
could save us billions of dollars in health care costs each year. In
addition, greater use of information technology could prevent some of
the medical errors that, as reported by the National Academies, are
responsible for the deaths of approximately 98,000 people each year.
A key barrier to broader integration of health IT systems has been
the lack of technical standards to support interoperability and protect
data and privacy. Many physicians, particularly those in small
practices where most Americans get their health care, are hesitant to
take on the considerable expense of a health IT system that, without
common standards, may not work with the systems of a neighboring health
care provider or may become prematurely obsolete.
This is the third hearing the Science and Technology Committee will
have held on health IT standards since the 109th Congress. I am very
eager to hear about the progress we have made on standards, especially
since the implementation of the HITECH Act. In that act, Congress
included a directive to the federal agencies before us today to
establish health IT standards and develop related measures to enable
different manufacturers and vendors to produce software and other
devices that will work with other products on the market today, as well
as tomorrow.
Given the complexity of our healthcare system, with its myriad of
players and large number of state and federal laws governing personal
medical information, the HITECH Act charged the Office of the National
Coordinator with a very difficult task. From all reports, though, the
National Coordinator has done an admirable job meeting tight deadlines
and navigating the needs of many stakeholders. NIST has also played an
important role, lending to HHS its extensive expertise in standards,
testing, and certification.
However, as I am sure we will discuss today, we still have a ways
to go in promoting interoperability, coordinating the many health IT
projects underway, governing the standards development process, and
providing direction on privacy and security. Modernizing our health
care system with information technology is imperative for lowering
health care costs and improving patient care, and I look forward to
hearing the thoughts and recommendations of the witnesses today on how
we will successfully meet these challenges.
Mr. Smith. Thank you, Mr. Chairman, for calling today's
hearing on development and implementation of standards and
testing for interoperability of health information technology.
With the enactment of the HITECH Act and other measures since
our last full Committee hearing on this issue in September
2007, a follow-up hearing on this topic is certainly
appropriate and appreciated.
Interoperability of health IT is vital to ensuring one of
the greatest benefits of electronic medical records: the
ability of multiple practitioners in different locations to
access a patient's medical records. This access helps avoid
adverse interactions, duplicative testing and other medical
errors while improving coordination of care.
To maximize the potential of health IT, it is vital these
benefits be available not just in a metropolitan area or a
single state but across state lines. For example, in my own
Congressional district, it is not uncommon for those in need of
higher-level health care to seek it in Colorado, South Dakota,
Kansas or Wyoming rather than from another in-state location
such as the larger cities of Lincoln and Omaha. It is vital
that electronic medical records be available both close to home
and out of state.
For this reason, and among others, it is appropriate that
NIST and other federal agencies play a role in developing
interoperability standards and testing for such technologies.
NIST in particular is a trusted arbiter of standards
development and testing and has the proven expertise to assist
the Department of Health and Human Services in developing
testing methods to ensure technology is interoperable as
promised.
Additionally, we must ensure interoperability standards
protect private and taxpayer dollars from being wasted on
technologies which are not proven to be interoperable--not as a
barrier to future innovations, which could further improve the
quality and coordination of patient care.
Thank you again, Mr. Chairman and witnesses. In particular,
I would like to welcome our witness Deb Bass, who is Executive
Director of the Nebraska Health Information Initiative based in
Omaha. I look forward to a constructive session. Thank you.
[The prepared statement of Mr. Smith follows:]
Prepared Statement of Representative Adrian Smith
Thank you, Chairman Wu, for calling today's hearing on the
development and implementation of standards and testing for
interoperability of health information technology. With the enactment
of the HITECH Act and other measures since our last full committee
hearing on this issue in September 2007, a follow-up hearing on this
topic is indeed appropriate and appreciated.
Interoperability of health IT is vital to ensuring one of the
greatest benefits of electronic medical records--the ability of
multiple practitioners in different locations to access a patient's
medical records. This access helps avoid adverse interactions,
duplicative testing, and other medical errors while improving
coordination of care.
To maximize the potential of health IT, it is vital these benefits
be available not just in a metropolitan area or a single state, but
across state lines. For example, in my own congressional district it is
not uncommon for those in need of higher level care to seek it in
Colorado, South Dakota, Kansas, or Wyoming, rather than from another
in-state location such as Lincoln or Omaha. It is vital electronic
medical records be available both close to home and out of state.
For this reason, among others, it is appropriate NIST and other
federal agencies play a role in developing interoperability standards
and testing for such technologies. NIST, in particular, is a trusted
arbiter of standards development and testing, and has the proven
expertise to assist the Department of Health and Human Services in
developing testing methods to ensure technology is interoperable as
promised.
However, we must ensure interoperability standards protect private
and taxpayer dollars from being wasted on technologies which are not
proven to be interoperable--not as a barrier to future innovations
which could further improve the quality and coordination of patient
care.
Thank you again, Mr. Chairman and witnesses. In particular I'd like
to welcome one of our witnesses, Deb Bass, who is Executive Director of
the Nebraska Health Information Initiative, based in Omaha. I look
forward to a constructive session.
Chairman Wu. Thank you very much, Mr. Smith.
If there are Members who wish to submit additional opening
statements, your statements will be added to the record at this
point.
And now it is my pleasure to introduce our witnesses. Dr.
David Blumenthal is the National Coordinator for Health
Information Technology at the Office of the National
Coordinator for the United States Department of Health and
Human Services. Ms. Kathleen M. Roberts is the Associate
Director for Federal and Industrial Relations at the
Information Technology Laboratory for the National Institutes
of Standards and Technology. Ms. Joyce Sensmeier is the vice
President of Informatics for the Healthcare Information and
Management Systems Society. Dr. Dick Gibson is the President of
the Oregon Health Network. Ms. Deven McGraw is the Director of
the Health Privacy Project for the Center for Democracy and
Technology. Ms. Deb Bass is the President and CEO of Bass and
Associates.
You will each have five minutes for your spoken testimony.
Your written testimony will be included in the record for the
hearing. And when you all complete your testimony, we will
begin with questions and each Member will have five minutes to
question the panel. Dr. Blumenthal, please begin.
STATEMENT OF DAVID BLUMENTHAL, NATIONAL COORDINATOR FOR HEALTH
INFORMATION TECHNOLOGY, OFFICE OF THE NATIONAL COORDINATOR,
U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES
Dr. Blumenthal. Mr. Chairman, Ranking Member Smith,
distinguished Subcommittee Members, thank you for the
opportunity to testify today on behalf of the Department of
Health and Human Services.
The HITECH Act represents an historic and unparalleled
investment in health information technology. It lays the
groundwork necessary to pursue the President's goals related to
improved health care quality and efficiency and will help
transform the way health care is both practiced and delivered.
We have made considerable progress in the relatively short
time since the HITECH Act's passage. Our recent accomplishments
include the establishment of two new federal advisory
committees, the completion of three rulemakings together with
the Centers for Medicare and Medicaid Services necessary to
establish Meaningful Use, Stage 1, strengthening coordination
throughout the Executive Branch on health information
technology, and the responsible obligation of nearly all of the
$2 billion that we were authorized to spend under the American
Recovery and Reinvestment Act.
My remarks today will highlight progress that ONC has made
thus far related to interoperability, privacy and security as
well as our standards and priorities for future stages of
Meaningful Use. Interoperability and privacy and security are
themes that are present throughout the HITECH Act. Thus, many
of our policy and programmatic efforts focus on those themes.
Established by the HITECH Act, the HIT Policy and Standards
Committees both regularly issue recommendations on how best to
fulfill our statutory responsibilities. Both committees include
a diverse membership with representatives of various
perspectives from both the public and private sectors. The
Policy Committee's work on privacy and security exemplifies its
major contribution, and I want to note that Ms. McGraw has been
a major contributor through the Policy Committee to that work.
The privacy and security of electronic health information
form the bedrock necessary to build trust. To ensure that we
have timely privacy and security recommendations related to our
HITECH programs, the HIT Policy Committee formed an
interdisciplinary privacy and security Tiger Team of experts
comprised of members from the HIT Policy and Standards
Committees as well as from the National Committee on Vital and
Health Statistics. The Tiger Team has already provided valuable
guidance to ONC and HHS.
Like its sister committee, the HIT Standards Committee
plays a critical role in guiding ONC. Since its inception, the
HIT Standards Committee has issued recommendations to ONC on
the standards and implementation specifications that should be
considered to support Meaningful Use Stage 1 and the
development and maintenance of specific vocabularies to improve
interoperability.
With the advice of these committees and extensive external
consultation, we completed last July three independent
rulemakings that were necessary to implement Meaningful Use
Stage 1. These rules cumulatively reflect over 2,000 public
comments from stakeholders across the health care system.
The first rule was the EHR incentive program and defined
Meaningful Use Stage 1. ONC and the Centers for Medicare and
Medicaid Services worked collaboratively to strike a balance
that reflected both the urgency of adopting EHR technology and
the challenges that adoption will pose to health care
providers. Our approach attempts to move the health system
upward toward improved quality and effectiveness but at a speed
that reflects both the capacities of providers who face
multiple real-world challenges and the maturity of the
technology itself.
The second rule defined EHR standards, implementation
specifications, and certification criteria adopted by the
Secretary to support Meaningful Use. The initial standard set
several specific interoperability and security capabilities
that certified EHR technology must incorporate including e-
prescribing according to specific standards, exchanging
standardized patient summary records, authenticating users,
generating audit logs and encrypting health information
according to standards specified by NIST.
In the third rule, ONC established a temporary
certification process. We have now authorized three
certification bodies. In developing our certification programs,
we consulted extensively with our colleagues at NIST, which has
been an invaluable partner in all our efforts to implement the
HITECH Act.
We anticipate that future stages of Meaningful Use will
build on the foundation we have now established and will
require progressively more rigorous electronic health
information exchange requirements. In order to develop those
requirements, we have again asked the HIT Policy Committee to
make recommendations on what Meaningful Use stages 2 and 3
should encompass.
We anticipate that the Standards Committee will then begin
to focus on the standards implementation specifications and
certification criteria that will be necessary for future stages
of Meaningful Use. We also expect the Standards Committee to
issue recommendations that focus on strengthening security
capabilities of EHR technologies and on standards for
electronic health information exchange in support of meaningful
use. Interoperability will be critical to our success in stages
2 and 3. We recognize that greater specificity with respect to
standards is necessary to reach our goals and we will be
working on adopting additional implementation specifications,
achieving agreement on vocabulary and code sets for particular
exchange purposes and comprehensive privacy and security
capabilities for EHR technology.
ONC and CMS have accomplished a great deal up to now but
much remains to be done. We look forward to working with the
House and Science and Technology Committee on this important
endeavor, and it has been my privilege to testify before you
today and I look forward to answering any questions you may
have.
[The prepared statement of Dr. Blumenthal follows:]
Prepared Statement of David Blumenthal
Chairman Wu, Ranking Member Smith, distinguished Subcommittee
members, thank you for the opportunity to submit testimony on behalf of
the Department of Health and Human Services (HHS) on our progress and
priorities related to interoperability and the security of electronic
health records and health information technology (HIT) systems since
the passage of the Health Information Technology for Economic and
Clinical Health Act (HITECH Act).
The HITECH Act represents an historic and unparalleled investment
in HIT, lays the groundwork necessary to pursue the President's goals
related to improved health care quality and efficiency, and will help
transform the way health care is both practiced and delivered. The
provisions of the HITECH Act are best understood not as investments in
technology per se, but as efforts to improve the health of Americans
and the performance of their health care system.
Interoperability and privacy and security are themes that are
present throughout the HITECH Act. Consequently, many of our policy and
programmatic efforts also focus on those themes. We have made
remarkable progress in the relatively short time since the HITECH Act's
passage. Our recent accomplishments include: the establishment of two
new federal advisory committees, the HIT Policy Committee and HIT
Standards Committee; the completion of the three rulemakings necessary
to establish meaningful use Stage 1 for the Medicare and Medicaid
Electronic Health Record (EHR) Incentive Programs; strengthened
coordination throughout the Executive Branch on HIT; and the
responsible obligation of nearly all of the $2 billion we were
authorized under the American Recovery and Reinvestment Act of 2009
through the creation of several programs that will have a lasting
impact on the HIT landscape. As we take stock of our successes and
complete the challenges in front of us, we recognize that much work
still remains in order to reach our goals for the future.
The first half of my testimony focuses on the progress that the
Office of the National Coordinator for Health Information Technology
(ONC) has made thus far related to interoperability and privacy and
security, generally, while the second half discusses the work we are
currently pursuing with respect to standards in order to support the
latter stages of meaningful use.
Building on HITECH
The HIT Policy and Standards Committees
Established by the HITECH Act, the HIT Policy and HIT Standards
Committees both contribute a great deal to our activities and regularly
issue recommendations on how to best fulfill our responsibilities and
implement the ambitious agenda set forth by the HITECH Act. Both
Committees include a diverse membership, with representatives of
various perspectives from both the public and private sectors. The HIT
Standards Committee, for example, combines standards experts from the
private sector with Federal government leaders from OSTP, NIST, DoD,
VA, and CMS.\1\
---------------------------------------------------------------------------
\1\ OSTP: Office of Science and Technology Policy; NIST: National
Institute of Standards and Technology; DoD: Department of Defense; VA:
Department of Veterans Affairs; CMS: Centers for Medicare & Medicaid
Services
---------------------------------------------------------------------------
As we continue to implement the HITECH Act, we are acutely aware
that it is paramount to implement appropriate policies to keep
electronic health information private and secure. Privacy and security
form the bedrock necessary to build trust. Patients and providers must
feel confident in the processes, policies, and standards in place
related to HIT and the electronic exchange of health information. Thus,
to ensure that we have timely privacy and security recommendations
related to the HITECH programs for which we are responsible, the HIT
Policy Committee formed an interdisciplinary ``Privacy and Security
Tiger Team'' of experts comprised of members from both the HIT Policy
and Standards Committees. Members from the National Committee on Vital
and Health Statistics (NCVHS) also serve on the Tiger Team to ensure
the efforts of these committees are coordinated.
Building on the work of the Tiger Team, the HIT Policy Committee
has, in accordance with its mandate in the HITECH Act, recently
submitted recommendations regarding data segmentation technologies to
ONC, as well as recommendations on obtaining patient consent in various
contexts. In upcoming months, the Tiger Team in coordination with the
HIT Policy Committee will continue to prioritize and address additional
privacy and security issues including: the privacy and security
requirements for participants in health information exchange activities
who are not subject to the Health Insurance Portability and
Accountability Act of 1996 (HIPAA) Privacy and Security Rules;
credentialing assurance levels; individual access; transparency;
security safeguards; and de-identified data.
Like its sister committee, the HIT Standards Committee plays a
critical role in guiding ONC. In August 2009, and again in March 2010,
it issued recommendations to ONC on the standards and implementation
specifications that should be considered to support meaningful use
Stage 1. It has also formed workgroups which focus on clinical
operations, clinical quality, and implementation. Most recently, the
HIT Standards Committee established a vocabulary task force under the
clinical operations workgroup to address vocabulary subsets and value
sets as facilitators and enablers of meaningful use. In April, 2010,
the HIT Standards Committee made recommendations to ONC based on the
work of the clinical operations workgroup and taskforce. These
recommendations broadly addressed several areas related to the
identification, development, review, testing, and maintenance of
vocabularies, value sets, and code sets, as well as the establishment
of an authoritative vocabulary infrastructure.
Finally, in response to their charge under Section 1561 of the
Patient Protection and Affordable Care Act, the HIT Policy and
Standards Committees recently made recommendations to ONC for the
Secretary's consideration regarding interoperable and secure standards
and protocols that facilitate enrollment of individuals in Federal and
State health and human services programs. On September 17, the
Secretary adopted this first set of recommendations and they were
published on ONC's website.\2\
---------------------------------------------------------------------------
\2\ http://healthit.hhs.gov/portal/
server.pt?open=512&mode=2&objID=3161
Meaningful Use Stage 1
This past July marked the completion of the three interdependent
rulemakings that were necessary to implement ``Meaningful Use Stage
1,'' the first stage of the Medicare and Medicaid EHR Incentive
Programs. The first rulemaking establishes the requirements that
eligible health care providers \3\ will need to satisfy in order to
qualify for incentive payments. The second specifies the technical
capabilities and standards that certified EHR technology will need to
include to support these health care providers. And the third creates
the processes for EHR technology to be tested and certified, thus
providing confidence and assurance to eligible health care providers
that the certified EHR technology they adopt will perform as expected.
These rules, cumulatively, reflect over 2,000 public comments from
stakeholders across the health care system, and illuminate the initial
pathway to achieving an integrated and electronically connected health
care system.
---------------------------------------------------------------------------
\3\ ``Eligible health care providers'' is used to mean: ``eligible
professionals, eligible hospitals, and critical access hospitals''
---------------------------------------------------------------------------
In developing the policies for meaningful use Stage 1, the ONC and
CMS worked collaboratively to strike a balance that reflected both the
urgency of adopting EHR technology to improve our health care system
and the challenges that adoption will pose to health care providers.
Our approach attempts to move the health system upward toward improved
quality and effectiveness in health care, but at a speed that reflects
both the capacities of providers who face a multitude of real-world
challenges and the maturity of the technology itself.
In order to ensure that eligible health care providers can obtain
EHR technology capable of assisting their achievement of meaningful use
Stage 1, the Secretary adopted an initial set of standards,
implementation specifications, and certification criteria for EHR
technology (the Initial Set). Much like meaningful use Stage 1, the
Initial Set creates a foundation from which we expect to continue to
build in order to enhance the interoperability and security of EHR
technology. The Initial Set specifies several interoperability and
security capabilities that certified EHR technology must include in
order to support meaningful use Stage 1. With respect to
interoperability, it specifies that certified EHR technology must be
capable of submitting information to public health agencies in standard
formats, that specific standards must be used for electronic
prescribing, and it specifies certain standards (content exchange and
vocabulary) that must be used when patient summary records are
exchanged and when patients are provided electronic copies of their
health information. With respect to privacy and security, the Initial
Set requires that certified EHR technology must be capable of
automatically logging-off a user, access control, authentication,
generating audit logs, checking the integrity of information that is
electronically exchanged, and encrypting health information (according
to standards specified by NIST).
To ensure proper incorporation and use of the adopted standards and
implementation specifications EHR technology must be tested and
certified according to the certification criteria adopted by the
Secretary. In that regard, we issued, at the end of June, a final rule
establishing the temporary certification program for health information
technology that outlines how organizations can become ONC-Authorized
Testing and Certification Bodies (ONC-ATCBs). Once authorized by the
National Coordinator, the ONC-ATCBs will test and certify that EHR
technology is compliant with the standards, implementation
specifications, and certification criteria adopted by the Secretary. To
date, three organizations have now been granted ONC-ATCB status by the
National Coordinator. We are also working on a final rule for a
permanent certification program that we expect to publish later this
year and that will be fully operational in early 2012. We expect that
this program will be more rigorous than the temporary certification
program and will achieve greater incorporation of international
standards and best practices through requirements such as accreditation
and surveillance. In developing our proposals for both the temporary
and permanent certification programs and, in accordance with the HITECH
Act, we consulted extensively with our colleagues from NIST. During
this time, we established an even closer working relationship with the
experts at NIST and we anticipate continuing to work with them, as the
certification programs mature. NIST has been an invaluable partner in
all our efforts to implement the HITECH Act.
Strengthened Coordination
On a number of fronts, we have actively sought to strengthen
coordination within the Executive branch on complementary activities
where the use of adopted standards and implementation specifications
may be appropriate. In this regard, the Federal HIT Task Force was
created to facilitate implementation of the President's HIT agenda
through better coordination among Federal agencies. As noted, under the
aegis of this HIT Task Force, we are working with the President's
Cybersecurity Coordinator, Mr. Howard Schmidt, to take full advantage
of security lessons learned from other Federal programs. We are also
supporting our colleagues at the Department of Defense and the
Department of Veterans Affairs on their implementation of the Virtual
Lifetime Electronic Record (VLER) project, and continuing our work with
the Federal Health Architecture (FHA).
Additionally, ONC has maintained a close working relationship with
HHS' Office for Civil Rights (OCR) and consulted with OCR as it
developed the proposed modifications to the HIPAA Privacy, Security,
and Enforcement Rules required by the HITECH Act to strengthen the
privacy and security protections for health information and to improve
the workability and effectiveness of the HIPAA Rules. The proposed
regulatory provisions would, among other things, expand individuals'
rights to access their information and restrict certain disclosures of
protected health information to health plans; extend the applicability
of certain Privacy and Security Rules' requirements to the business
associates of covered entities; establish new limitations on the use
and disclosure of protected health information for marketing and
fundraising purposes; and prohibit the sale of protected health
information without patient authorization. This proposed rulemaking
will strengthen the privacy and security of health information, and is
an integral piece of the Administration's efforts to broaden the use of
HIT in health care today.
HITECH Programs
Through implementing the new authorities provided by the HITECH
Act, we have committed to fostering the support, collaboration, and
ongoing learning that will mark our progress toward electronically
connected, information-driven medical care. Several new programs will
contribute to this progress, including:
The State Health Information Exchange Cooperative
Agreement Program--A grant program to support States or State
Designated Entities in rapidly building capacity for exchanging
health information across the health care system both within
and across states.
The Beacon Community Program--A grant program for
communities to build and strengthen their HIT infrastructure
and exchange capabilities. These communities will demonstrate
the vision of a future where hospitals, clinicians, and
patients are meaningful users of health IT, and together the
community achieves measurable improvements in health care
quality, safety, efficiency, and population health.
The Health IT Workforce Program--A multi-pronged
approach designed to support the education of HIT
professionals, including new and expanded training programs,
curriculum development, and competency testing.
The Strategic Health IT Advanced Research Projects
(SHARP) Program--A grant program to fund research focused on
achieving breakthrough advances to address well-documented
problems that have impeded adoption: 1) Security of Health
Information Technology; 2) Patient-Centered Cognitive Support;
3) Healthcare Application and Network Platform Architectures;
and, 4) Secondary Use of EHR Data.
The Health Information Technology Extension Program--
A grant program to establish Health Information Technology
Regional Extension Centers to offer technical assistance,
guidance, and information on best practices to support and
accelerate health care providers' efforts to become meaningful
users of EHRs.
Supporting Standards Needs beyond Meaningful Use Stage 1
We anticipate that future stages of meaningful use will build on
the foundation we have now established and will require progressively
more rigorous electronic health information exchange requirements. In
order to develop those requirements, we have again asked the HIT Policy
Committee to make recommendations on what meaningful use Stages 2 and 3
should encompass. The HIT Policy Committee and its Meaningful Use
workgroup have received testimony and held numerous hearings on topics
such as care coordination, patient/family engagement, and eliminating
disparities in health care. This fall the Meaningful Use workgroup will
be holding additional public meetings, and will be closely monitoring
implementation of meaningful use Stage 1 to inform its recommendations
to the HIT Policy Committee. As before, and in response to the
meaningful use policy priorities identified by the HIT Policy
Committee, we anticipate that the HIT Standards Committee will also
begin to focus on the standards, implementation specifications, and
certification criteria that will be necessary for future stages of
meaningful use. We also expect the HIT Standards Committee to issue
recommendations that focus on strengthening the security capabilities
of EHR technology and on standards for electronic health information
exchange in support of meaningful use.
In order to support future stages of meaningful use as well as our
other initiatives, we determined that a comprehensive standards and
interoperability framework was needed, and we are currently in the
process of establishing that framework. The ``Standards and
Interoperability Framework'' is intended to help us coordinate our
standards development efforts, and to facilitate the development,
adoption, and use of high-quality standards and implementation
specifications. We believe by using the Standards and Interoperability
Framework, we can develop and maintain a well organized set of
standards that can be reused across different use cases, and allow for
greater coordination among public and industry stakeholders.
Interoperability will be critical to our success in Stages 2 and 3
of meaningful use. In the Initial Set, we adopted several standards for
the electronic exchange of health information, but we recognize that
greater specificity is necessary to reach our goals. In that respect we
will be working on adopting additional implementation specifications;
achieving agreement on vocabularies and code sets for particular
exchange purposes; and comprehensive privacy and security capabilities
for EHR technology.
Conclusion
The HITECH Act provides for an unprecedented amount of funding to
improve the quality and efficiency of health care through HIT, and its
historic investment will undoubtedly help transition our current
antiquated, paper-dominated health care system into a high-performing
21st century health care system. With a nationwide infrastructure of
HIT in place, that provides the capability of secure interoperable
health information exchange through consensus built standards,
patients, providers, and the public will experience the true value
added for improving health care delivery. It is my privilege to testify
before you today and I look forward to answering any questions you
might have.
Biography for David Blumenthal
David Blumenthal, MD, MPP serves as the National Coordinator for
Health Information Technology under President Barack Obama. In this
role he is charged with building an interoperable, private and secure
nationwide health information system and supporting the widespread,
meaningful use of health IT.
Dr. Blumenthal received his undergraduate, medical, and public
policy degrees from Harvard University and completed his residency in
internal medicine at Massachusetts General Hospital. Prior to his
appointment to the administration, Dr. Blumenthal was a practicing
primary care physician; director, Institute for Health Policy; and the
Samuel O. Thier Professor of Medicine and Professor of Health Policy at
the Massachusetts General Hospital/Partners HealthCare System and
Harvard Medical School.
Dr. Blumenthal is a renowned health services researcher and
national authority on health IT adoption. With his colleagues from
Harvard Medical School, he authored the seminal studies on the adoption
and use of health information technology in the United States. He is
the author of over 200 scholarly publications, including most recently,
``Heart of Power: Health and Politics in the Oval Office,'' which tells
the history of U.S. Presidents' involvement in health reform, from FDR
through George W. Bush.
A member of the Institute of Medicine and a former board member and
national correspondent for the New England Journal of Medicine, Dr.
Blumenthal has held several leadership positions in medicine,
government, and academia including Senior Vice President at Boston's
Brigham and Women's Hospital; Executive Director of the Center for
Health Policy and Management and Lecturer on Public Policy at the
Kennedy School of Government; and as a professional staff member on
Senator Edward Kennedy's Senate Subcommittee on Health and Scientific
Research.
He was the founding chairman of AcademyHealth and served previously
on the boards of the University of Chicago Health System and of the
University of Pennsylvania Health System. He is recipient of the
Distinguished Investigator Award from AcademyHealth, and a Doctor of
Humane Letters from Rush University.
Chairman Wu. Thank you very much, Dr. Blumenthal.
Ms. Roberts, please proceed.
STATEMENT OF KAMIE ROBERTS, ASSOCIATE DIRECTOR FOR FEDERAL AND
INDUSTRIAL RELATIONS, INFORMATION TECHNOLOGY LABORATORY,
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Ms. Roberts. Chairman Wu, Ranking Member Smith and Members
of the Subcommittee, I am Kamie Roberts, Associate Director of
the Information Technology Laboratory at the Department of
Commerce's National Institute of Standards and Technology.
Thank for the opportunity to appear before you today to discuss
our role in standards for health information technology.
Both the President and Congress have recognized that health
IT is a national priority, and NIST expertise on standards and
interoperability is key to the fulfillment of the goals of
health IT, such as higher quality and more efficient care,
seamless, secure and private movement of data between health
care providers without compromise or loss of information, and
fewer errors and redundant tests, to name a few.
Over its history, NIST has been successful in applying
emerging IT standards in many national priority domains and
leveraging collaborations with industry and other federal
efforts. Health IT is no exception. NIST has been collaborating
with industry and others to improve the health care information
infrastructure since the 1990s.
I would like to quickly note that as with any standards
effort in the United States, there are strengths and challenges
in health IT standards activities. The health IT standards
development effort in the United States is strengthened by the
robust, open process in which public and private sector
collaborations are addressing the end goal of interoperable
EHRs and health IT systems. The many varied partners bring
their own strengths to the deliberations. At the same time,
with health IT as a national priority, many standards
development organizations are working to provide the standards-
based solutions needed, which can sometimes lead to
conflicting, overlapping or redundant standards.
A further challenge is the need to accelerate standards to
keep up with the fast pace of technology advances.
NIST plays a critical role by providing technical expertise
early and throughout the standards development process by
leveraging industry-led, consensus-based standards development
and harmonization efforts. NIST is helping ensure that the
requisite infrastructural standards, such as clinical
information exchange and security are complete and unambiguous.
NIST testing activities, including developing test tools
and associated testing infrastructure, reduce the cost to help
develop IT systems, first, through the early use of testing,
which can accelerate standards development efforts, and second,
as vendors implement systems, test tools provided by NIST help
ensure that standards are implemented correctly.
Under the temporary health IT certification program,
testing organizations authorized by the Office of the National
Coordinator will use the NIST tests to evaluate EHR software
and systems so doctors' offices, hospitals and other health
care providers have confidence in the systems that they
purchase. In addition, NIST is advising ONC on the process by
which testing organizations will be authorized to test and
certify the EHR systems.
There is much to be done in the realm of health IT
standards, so we have to set priorities. Current priority areas
include security standards, usability standards, and medical
device interoperability standards. NIST also advances other
high-priority health IT standards as needed.
NIST is actively engaged with private industry, academia,
and other federal agencies including our colleagues in the
Networking and Information Technology Research and Development
Committee in coordination of longer-term health IT standards
activities to ensure that future technologies can be integrated
into the nationwide health care infrastructure.
NIST has a diverse portfolio of activities supporting our
Nation's health IT effort. With NIST's extensive experience and
broad array of expertise, both in its laboratories and in
successful collaborations with the private sector and other
government agencies, NIST is actively pursuing the standards
and measurement research necessary to achieve the goal of
improving health care delivery through information technology.
Thank you for the opportunity to testify today on NIST's
activities in health IT standards. I would be happy to answer
any questions you may have.
[The prepared statement of Ms. Roberts follows:]
Prepared Statement of Kamie Roberts
Chairman Wu, Ranking Member Smith, and Members of the Subcommittee,
I am Kamie Roberts, Associate Director of the Information Technology
Laboratory at the Department of Commerce's National Institute of
Standards and Technology (NIST). Thank you for the opportunity to
appear before you today to discuss our role in standards for health
information technology (IT).
NIST's mission is to promote U.S. innovation and industrial
competitiveness by advancing measurement science, standards, and
technology in ways that enhance economic security and improve our
quality of life.
NIST accelerates the development and deployment of information and
communication systems that are reliable, usable, interoperable, and
secure; advances measurement science through innovations in
mathematics, statistics, and computer science; and conducts research to
develop the measurements and standards infrastructure for emerging
information technologies and applications.
As health IT has become a top priority around the nation, it is
clear that standards and interoperability are key to the fulfillment of
the goals of health IT:
higher quality and more efficient care;
seamless, secure, and private movement of data
between healthcare providers without compromise or loss of
information;
access to medical histories (including diagnoses,
diagnostic tests, laboratory tests, and medication lists) at
the point of care and in emergency settings;
fewer errors and redundant tests;
more efficient and effective reporting, including
surveillance and quality monitoring; and
quick detection of adverse drug reactions and
epidemics.
NIST has been successful in applying emerging IT standards in many
national priority domains and leveraging collaborations with industry
and other federal efforts; health IT is no exception. NIST has been
collaborating with industry and others to improve the healthcare
information infrastructure since the 1990s. Our IT researchers have an
internationally respected reputation for their knowledge, experience,
and leadership. As in all NIST endeavors, we are highly recognized and
respected for our neutrality. Since 2005, NIST has worked closely with
the Department of Health and Human Services' Office of the National
Coordinator for Health IT (HHS/ONC). The role of NIST was further
articulated in the 2008-2012 Federal Health IT strategic plan and the
American Recovery and Reinvestment Act (ARRA) to:
Advance healthcare information enterprise integration
through standards and testing
Consult on updating the Federal Health IT Strategic
Plan
Consult on voluntary certification programs
Consult on health IT implementation
Provide pilot testing of standards and implementation
specifications, as requested.
The health IT standards development effort is strengthened by the
robust, open process in which private-public sector collaborations are
addressing the end goal of interoperable electronic health records and
health IT systems, where the various partners participate according to
their strengths. At the same time, with health IT as a national
priority, many standards development organizations are working to
provide the standards-based solutions needed, which can sometimes lead
to overlapping or redundant standards. A further challenge is the need
to accelerate standards to track the fast pace of technology advances.
NIST recognizes this need and through close collaborations with the
health IT community, priority areas are being identified and early use
of testing is helping to accelerate the development of complete,
unambiguous standards.
NIST Role in Health IT Standards
To accelerate health IT standards, NIST is providing technical
expertise and leveraging industry-led, consensus-based standards
development and harmonization efforts. NIST plays a critical role by
participating early in the development process and by helping ensure
that the requisite infrastructural standards (such as clinical
information exchange, security, and usability) are complete and
unambiguous. For example, NIST is collaborating with organizations
including, Health Level Seven (HL7), IEEE, International Organization
for Standardization (ISO), and Integrating the Healthcare Enterprise,
to refine current standards and develop standards that are needed in
the future, such as standards for the next stages of meaningful use
criteria (in 2013 and 2015). NIST is also engaged with other Federal
agencies that have responsibility for health IT standards.
NIST testing activities, including developing test tools and
associated testing infrastructure, reduce the cost to develop health IT
systems by providing developers with an innovative, flexible and
virtual testbed to confirm that their systems can exchange clinical
information with other systems. In addition, it is important that
vendors test their implementation of standards-based health systems;
without testing it is impossible to know if a standard is implemented
correctly.
As a further extension of the NIST testing activities, NIST, in
collaboration with HHS/ONC, is helping develop a program for the
voluntary certification of health IT systems as being in compliance
with applicable certification criteria to meet meaningful use, that is,
performing specifically defined functions. This effort is two pronged:
(1) develop the test procedures necessary to certify the systems, and
(2) define the process by which testing organizations will be
authorized to test and certify the Electronic Health Record (EHR)
systems. To address the first prong, NIST published, in August 2010, a
set of HHS/ONC-approved procedures for testing EHR systems. During the
development of these test procedures, NIST collaborated with HHS/ONC to
ensure that the relevant standards and certification criteria were
consistent and effectively represented within the test procedures. The
approved NIST-developed test procedures evaluate components of EHR
systems such as their encryption, how they plot and display growth
charts, and how they control access so that only authorized users can
retrieve information.
Under the voluntary health IT certification program, testing
organizations authorized by HHS/ONC will use the NIST test procedures
to evaluate EHR software and systems so doctor's offices, hospitals and
other healthcare providers have confidence in the systems they
purchase. As defined in ARRA, the Federal government will provide
Medicare and Medicaid incentive payments to healthcare providers who
meaningfully use EHR systems which meet HHS/ONC certification standards
and criteria.
In addition, NIST is advising HHS/ONC on the process by which
testing organizations will be authorized to test and certify the EHR
systems. This includes advising on all aspects of developing the
temporary and permanent certification programs and collaborating with
HHS/ONC during the implementation and operational phases of the
certification programs. In addition, HHS/ONC has stated its intention
to use NIST's National Voluntary Laboratory Accreditation Program
(NVLAP) to perform the accreditation of testing laboratories under the
permanent certification program.
Standards Priorities
Working in collaboration with relevant standards development
organizations, Federal agencies, professional societies, and industry,
NIST provides technical expertise to enable the acceleration of
industry-led, consensus-based standards development and harmonization
to help ensure a complete, unambiguous set of health IT standards for
clinical information exchange functions such as finding patients,
discovering patient information, retrieving patient information,
sending patient information, and allowing information to be sent, such
as lab test results. Current priority areas include security standards,
usability standards, and medical device and terminology standards. NIST
also advances other high priority health IT standards as appropriate.
Security
To help safeguard health information, NIST is developing a
harmonized set of security principles and guidelines for use in
emerging secure health information exchanges. NIST developed a
systematic approach that organizations can use to design the technical
security architecture necessary for the secure exchange of health
information. This approach applies common government and commercial
practices to the health information exchange domain. Utilizing this
approach will assist organizations in ensuring protection of health
data is addressed throughout the system development life cycle, and
that organizations apply these protection mechanisms in technologies to
enable the exchange of health information. Other key activities in
health IT security include:
Using security automation specifications, NIST is
working with HHS's Office of Civil Rights to develop baseline
security configuration checklists and toolkits that will help
implement and assess the effectiveness of technical and non-
technical safeguards in the Health Insurance Portability and
Accountability Act (HIPAA) Security Rule.
Conducting outreach and awareness on security
challenges, threats, and safeguards including presentations at
industry conferences, workshops, Federal Advisory Committee
meetings, and other Federal agencies on the application of
security standards and guidelines to support health IT
implementations.
Usability
Usability is a critical factor in health IT systems and must be
considered in future meaningful use criteria. Usability enables health
IT systems that are safe, effective, and efficient. Building upon our
foundational work in usability, NIST is performing cutting-edge
research for usability standards within the healthcare domain. NIST is
collaborating closely with industry, academia, and other government
agencies, including HHS/ONC, , the Agency for Healthcare Research and
Quality (AHRQ), the Food and Drug Administration (FDA), and the
National Institutes of Health (NIH) to provide guidance in the
development of health IT usability standards and measurements. To
pursue these goals, in November 2009, NIST released a usability
roadmap, designed to deliver specific, objective health IT usability
standards and define rigorous testing methods to assess compliance.
This summer, to further refine the roadmap, NIST co-sponsored a health
IT usability workshop with HHS/ONC and AHRQ to prioritize, align, and
coordinate short, medium, and long-term strategies to improve usability
of EHR systems. To help carry out the work defined in the roadmap, a
public-private multi-year program of research will develop a principled
framework for measuring the usability of health IT systems, resulting
in established usability and accessibility standards for systems to
prevent critical errors and promote effective and efficient use by all
end users (doctors, nurses, administrators, patients, and others).
Closely related to usability, accessibility, if implemented in a well-
defined way, has the potential to remove the barriers to using health
IT systems for the 20% of our population who experience some form of
disability. Promoting the use of accessibility standards on a voluntary
basis will achieve a nationwide impact that is truly ``welcoming'' to
all people.
Medical Device Interoperability Standards
Medical devices have the ability to communicate with many other
devices of various makes, models, and modalities. Acute point-of-care
settings, such as a patient's bedside, require each class of medical
device to use the same terminology to seamlessly and reliably
communicate physiological data. As EHR systems are adopted, it is
important that data from medical devices be easily and fully integrated
into a patient's EHR. NIST researchers are collaborating with medical
device and EHR experts to develop point of care medical device and EHR
standards that meet this need.
In addition, terminology standards are an important area of focus
needed to facilitate device interoperability. Terminology standards
provide the necessary means to enable interoperability of data. For
example, different device manufacturers sometimes utilize different
terminology within their devices. Based on this, interoperability
between these devices or between a device and an EHR is impossible.
NIST, in collaboration with ISO and IEEE, developed a system to enhance
medical device interoperability through standard terminology mapping;
this system is being used across the health IT enterprise.
Beyond Meaningful Use
NIST is actively engaged with private industry, academia, and other
Federal agencies, including those in the Networking and Information
Technology Research and Development (NITRD) community, in coordination
of longer-term health IT standards development, research, and outreach
activities. For example:
There is an ever-growing need to provide remote and
home healthcare for aging, underserved (e.g., rural), and
chronically ill populations, which can be facilitated by
leveraging existing and emerging health IT standards and
testing. Telemedicine includes capabilities where wellness
checkups and monitoring, diagnoses, and treatment can occur any
place and any time.
Pervasive healthcare explores the use of emerging
technologies such as body sensors, implants, and medical
equipment for routine monitoring of chronic conditions. Current
research includes analyzing the impact of interference from
such devices and exploring the potential of applying energy
from human movement to power the devices.
Standards and guidelines are required so that medical
records can be retrieved regardless of the format and medium in
which they were first created or stored. This preservation will
allow doctors to create the medical records of children today,
and enable access to those same medical records when those
children are adults.
Standards and terminologies need to be extended to
accommodate changing technologies and advances in biomedical
knowledge.
Information needs to be retrieved from notes in EHRs
where data is not formatted or structured. EHR systems contain
a wealth of information in the notes on a patient's history,
symptoms, reactions, etc. Research into the retrieval and
analysis of this textual information based on specific search
criteria will enable use of key data by the practitioner.
Advances are needed in image quality for healthcare
applications to help ensure, for example, that the colors
viewed on a digital image by a medical practitioner are
representative of the actual colors when viewed in person.
NIST activities and collaboration in areas such as these will
ensure that future technologies can be integrated into the nationwide
healthcare infrastructure. NIST's pilot projects and/or programs doing
basic research in these emerging technologies have potential for
immediate and big impact applications in healthcare. Using NIST core
competencies to expand research in these areas is in direct support of
the goals of health IT.
NIST has a diverse portfolio of activities supporting our nation's
health IT effort. With NIST's extensive experience and broad array of
expertise both in its laboratories and in successful collaborations
with the private sector and other government agencies, NIST is actively
pursuing the standards and measurement research necessary to achieving
the goal of improving healthcare delivery through information
technology.
Thank you for the opportunity to testify today on NIST's activities
in health IT. I would be happy to answer any questions that you may
have.
Biography for Kamie Roberts
Kamie Roberts is the Associate Director for Federal and Industrial
Relations of the Information Technology Laboratory (ITL) at the
National Institute of Standards and Technology (NIST). As Associate
Director, Roberts provides a focal point for interactions with
industry, government and international communities in key ITL program
areas. She is responsible for the management of technical and
administrative staff serving the needs of the ITL and NIST management,
including but not limited to coordination of NIST Health Information
Technology strategy and telemedicine research activities, ITL strategic
planning, and IT standards liaison.
During 2009, Roberts served as the Acting Division Chief of the
Software and Systems Division in ITL. The division develops software
testing tools and methods that improve quality, conformance to
standards and correctness. The division also participates with industry
in the development of forward-looking standards. Key focus areas
include health information technology, software quality, computer
forensics, voting systems and test method research.
From October 1996 to June 1998 and again from April 2002 to June
2006, Roberts served as the Acting Deputy Director of the Information
Technology Laboratory. She was responsible for the day-to-day
administration, financial, and personnel management of the laboratory
and assisted in the direction of the scientific and technical
activities of the Laboratory divisions.
Roberts served in the Office of Enterprise Integration, ITL, NIST,
coordinating Department of Commerce activities in the area of
enterprise integration. Roberts also served as special assistant to the
NIST Director in the Director's role as Chair of the Committee on
Applications and Technology of the Administration's Information
Infrastructure Task Force. Previously, Roberts was on detail as
technical staff to the Director of NIST in the position of Program
Analyst. Prior to December 1994, Roberts performed research in the
areas of distributed systems, transaction processing, X.25 networking
standards and integrated services digital network standards.
Roberts received a B.S. degree in Mathematics with a minor in
Computer Science from Clarion University of Pennsylvania in 1986 and
received a Masters Degree in Computer Science at George Washington
University in 1998. Since 1986, she has been a Computer Scientist at
the National Institute of Standards and Technology (NIST).
Last updated: 11/17/2010
Chairman Wu. Thank you, Ms. Roberts.
Ms. Sensmeier, please proceed.
STATEMENT OF JOYCE SENSMEIER, VICE PRESIDENT, INFORMATICS,
HEALTHCARE INFORMATION AND MANAGEMENT SYSTEMS SOCIETY
Ms. Sensmeier. Thank you, Chairman Wu, Ranking Member Smith
and Subcommittee Members. My name is Joyce Sensmeier and I
serve as Vice President of Informatics at HIMSS, where I
oversee the clinical informatics, standards, interoperability,
privacy and security initiatives for the Society. It is a
pleasure to be with you today before the Subcommittee and
alongside these distinguished panelists.
I present these comments on behalf of HIMSS, a cause-based,
not-for-profit organization exclusively focused on providing
global leadership for the optimal use of information technology
and management systems for the betterment of health care. HIMSS
represents more than 30,000 individual members of which two-
thirds work in health care provider, governmental, and not-for-
profit organizations. HIMSS also includes over 470 corporate
members and more than 85 not-for-profit and provider
organizations that share our mission. Supporting the adoption
and meaningful use of health IT is a key focus for HIMSS
membership, and as a nurse and a clinician with several decades
of experience, I am deeply committed to improving patient
safety and outcomes. It is in that vein that we have addressed
the two questions posed by the Subcommittee.
The first question is related to the progress ONC has made
since passage of the HITECH Act. Prior to passage of HITECH,
and for many decades, standards development organizations used
open, consensus-based, volunteer-driven processes working in
silos developing health IT standards. With the passage of the
HITECH Act, a new process for oversight of health IT standards
has been implemented. While forward progress is being made, we
would like to identify three specific areas of concern.
First, data transport and basic security are focus areas
where selected standards are missing yet necessary for
achieving interoperability. For example, until the recommended
transport standards are identified, EHR vendors will be forced
to support all available transport methods or risk developing
software that may not meet future interoperability needs. This
lack of guidance in the first stage of Meaningful Use and the
standards criteria creates marketplace confusion and wastes
existing resources, ultimately delaying progress.
Second, we would like to express concern regarding the
selection of multiple standards for the same criterion such as
the selection of two clinical summary standards, CCR
[Continuity of Care Record] and CCD [Continuity of Care
Document]. When two standards are selected, vendors and
providers must choose to either support one or instead support
both, which is costly, resource-intensive and minimizes health
information exchange across organizations. It is our
recommendation that only one standard be selected for each
criterion in futures Stages of Meaningful Use.
Our third area of concern is the timing of identifying and
selecting the standards in subsequent rules. Timing is critical
to ensure the industry can appropriately incorporate these
standards into the product development and implementation
cycle. Thousands of EHR systems are currently being developed
and upgraded by vendors and implemented by health care
providers. To ensure optimal software development and testing
and safe implementation, the final rules for Meaningful Use and
standards should be available 18 months before the next stage.
The second question relates to the strengths and weaknesses
of the current health IT standards identification and
development process. HIMSS was pleased that the final rule
established standards criteria for supporting stage 1 of
Meaningful Use and specifically that structured lab test
results and appropriate implementation guidance were added.
HIMSS urges CMS, ONC and NIST to ensure that all contractual
engagements in the standards harmonization are coordinated and
leverage the public domain work products of standards
harmonization bodies such as HITSP [HIT Standards Panel] and
Integrating the Healthcare Enterprise, IHE. We also request
that they complement rather than duplicate each agency's
efforts when creating testing procedures, tools, services and
reference implementations and that they embrace a transparent
and open consensus process with the private sector.
We also recommend that HHS publish implementation guidance
for all selected standards, publish standards for data
transport, financial transactions, security and health
information exchange as soon as possible, publish the process
and schedule for harmonizing standards, and set up one
repository such as the National Library of Medicine for
licensure and access to all standards and implementation
guides. HIMSS is pleased to see these final rules being
implemented in order to put into action the legislative and
Executive Branch intent to transform health care using IT.
I thank you for this opportunity, and I would be happy to
answer questions, and we look forward to providing our members'
expertise to help transform health care in the United States.
[The prepared statement of Ms. Sensmeier follows:]
Prepared Statement of Joyce Sensmeier
Good morning. My name is Joyce Sensmeier and I serve as Vice
President of Informatics for HIMSS, where I oversee the clinical
informatics, standards, interoperability, privacy and security
initiatives for the Society. It is a pleasure to be with you today
before this Subcommittee and alongside these distinguished panelists.
Background
I present these comments today on behalf of HIMSS, a cause-based,
not-for-profit organization exclusively focused on providing global
leadership for the optimal use of information technology (IT) and
management systems for the betterment of healthcare. Founded 50 years
ago, HIMSS and its related organizations have offices in Chicago,
Washington, DC, Brussels, Singapore, Leipzig, and other locations
across the U.S. HIMSS represents more than 30,000 individual members,
of which two-thirds work in healthcare provider, governmental and not-
for-profit organizations. HIMSS also includes over 470 corporate
members and more than 85 not-for-profit organizations that share our
mission of transforming healthcare through the effective use of IT and
management systems. HIMSS frames and leads healthcare practices and
public policy through its content expertise, professional development,
and research initiatives designed to promote information and management
systems' contributions to improving the quality, safety, access, and
cost-effectiveness of patient care.
I have been deeply involved in the harmonization and adoption of
health IT standards during my decade at HIMSS. With co-sponsor, the
Radiological Society of North America, I led HIMSS' effort to develop
and manage Integrating the Healthcare Enterprise (IHE), a global
initiative that drives the adoption of health IT standards for clinical
needs. I also led HIMSS' involvement with the Healthcare Information
Technology Standards Panel, or HITSP, a federal standards harmonization
initiative, while also collaborating with another organization to form
the Alliance for Nursing Informatics, a collaboration of 27 distinct
nursing informatics organizations that I co-chair.
I became Board Certified in Nursing Informatics in 1996, and am an
adjunct faculty member at Johns Hopkins University in Baltimore. This
year, I am honored to be recognized as a Fellow of the American Academy
of Nursing, a credential held by more than 1,600 nursing leaders
throughout the world.
On behalf of HIMSS members, we commend Congress and President
Barack Obama for their vision and commitment to transform our national
healthcare delivery system through the use of IT.
HIMSS and HITECH
I was asked to come before the Subcommittee today to share HIMSS
perspective on the progress of federal efforts in the standards arena
to support the first stage of Meaningful Use. in this testimony, we
will aim to address the specific questions posed by the Subcommittee.
The American Recovery and Reinvestment Act of 2009 (ARRA) includes
billions of dollars in Medicare and Medicaid incentive payments to
providers and hospitals for the ``Meaningful Use'' of certified health
IT products, which are addressed in the Health Information Technology
for Economic and Clinical Health (HITECH) Act portion of the statute.
The HITECH Act requires the Department of Health and Human Services
(HHS) to take regulatory action in several areas, including electronic
health record (EHR) incentives for eligible professionals and hospitals
(Meaningful Use), standards and certification criteria, a Certification
Program, and privacy and security.
The HITECH Act also requires the Secretary of HHS to establish
certification criteria and standards for achieving Meaningful Use. HHS
and the Office of the National Coordinator for Health Information
Technology (ONC) established a Final Rule on the Standards,
Implementation Specifications, and Certification Criteria that are
being used to support Meaningful Use for the start of the incentive
payment programs in 2011.
The HHS/ONC Initial Set of Standards, Implementation
Specifications, and Certification Criteria for Electronic Health Record
Technology Interim Final Rule were published in the Federal Register in
January 2010. After receiving more than 400 responses from HIMSS and
other organizations, ONC released its Final Rule on July 28, which
included the resolution of technical challenges related to some of the
standards and implementation specifications. The Final Rule went into
effect on August 27, 2010.
Response to Subcommittee Questions
Supporting the adoption and Meaningful Use of health IT is a key
focus for the HIMSS membership. It is in that vein that we have
addressed the questions posed by the Subcommittee. We were asked by
this Subcommittee to particularly address two issues, the first of
which is:
``What progress has ONC made since the passage of the HITECH
Act in meeting the need for interoperability and information
security standards for electronic health records and health IT
systems?''
Prior to the passage of the HITECH Act, and for many decades,
standards development organizations (SDOs) used an open, consensus-
based, volunteer-driven process, working in silos to develop health IT
standards. While this is important work that is being leveraged by
healthcare entities today, each SDO has its own priorities, goals and
objectives. As a result, while many standards are available, there are
multiple gaps, redundant efforts, and limited adoption in live health
IT systems.
Also, standards are often not implemented consistently enough
across individual organizations or products to enable interoperability.
By necessity, hospitals and clinical practices invent one-off
integration ``solutions'' when implementing IT products, which is a
major impediment to interoperability. Implementation guides or
specifications are also necessary to ensure that standards are
implemented in the same manner to allow multiple systems to share data.
These implementation specifications are typically developed by SDOs,
such as Health Level 7 (HL7) or SNOMED, and standards-profiling
organizations, such as IHE.
Prior to enactment of the HITECH Act, U.S. health information
exchange priorities were set by the American Health Information
Community (AHIC), the Federal Advisory Committee established by HHS.
These priority use cases were given to HITSP through a $22-million,
five-year contract awarded to the American National Standards Institute
(ANSI), which was funded by HHS and managed by ONC. In an open,
consensus-based process involving 966 member organizations and more
than 900 volunteer stakeholders, HITSP technical committees selected
and harmonized standards to address the interoperability of the use
cases. This stakeholder engagement was widespread across both federal
and private sectors, and a number of the HITSP specifications, which
are available in the public domain, are in the process of being tested
and implemented. During its tenure, HITSP developed over 130
interoperability specifications that were subsequently accepted,
recognized, and/or adopted by HHS.
With the passage of the HITECH Act, a new process for oversight of
the health IT standards process has been implemented. During this
transition period, a degree of momentum in the advancement,
harmonization and implementation of health IT standards has been lost.
The healthcare community was previously aligning with the HITSP
process, and vendors and health information exchanges were adopting its
recommended standards and specifications. Today, the HIT Standards
Committee determines priorities and recommends standards to support the
Meaningful Use criteria. While the Committee's efforts are not overtly
based on an open, consensus-based process, it has designated task
forces and work groups to execute specific tasks, and these groups
invite testimony to incorporate feedback from the healthcare community.
The regulatory process stemming from the HITECH Act includes designated
comment periods to accommodate public feedback, which allows ``real
world'' experience and subject matter expertise to inform the final
regulations. Compliance with the standards identified in the Standards
and Meaningful Use final rules will be verified by the National
Institute of Standards and Technology (NIST) testing procedures and the
EHR certification process.
These inputs have informed the Standards, Implementation
Specifications and Certification Criteria, as well as the Stage 1
Meaningful Use final rules, which incorporate a beginning set of
standards and several implementation guides to enable interoperability.
Leveraging the open, consensus-based work products of HITSP and using
implementation guides from standards profilers such as IHE is essential
for quickly, efficiently and cost effectively advancing health IT
efforts to allow providers to realize the incentives. This type of
reuse was accomplished with selection of HITSP/C32 as the
implementation specification for the Continuity of Care Document (CCD)
and the Continuity of Care Record (CCR) clinical summary content
standards for Stage 1 Meaningful Use, and thus, is a positive example
of leveraging previous work and ensuring the interoperability of those
standards when implemented. However, there are significant gaps in
standards for interoperability in Stage 1 Meaningful Use.
We would like to identify three specific areas of concern regarding
standards selection for Stage 1 Meaningful Use. First, data transport
and basic security are focus areas where selected standards are
missing, yet necessary for achieving interoperability. We understand
that Stage 1 is not intended to force interoperability on a healthcare
community that is not technically ready to meet the requirement.
However, identifying the accepted transportation method will have a
dramatic impact on preparedness for Stage 2. For example, it is
important to designate standards for documenting the content of
clinical summaries, but if we don't know how to transmit these
summaries or acknowledge their receipt, we will have limited
interoperability. Until the recommended transport standards are
identified, EHR vendors will be forced to support all available
transport methods or risk developing software that may not meet future
interoperability needs. This lack of guidance creates marketplace
confusion and wastes existing resources, ultimately delaying progress.
Second, we would like to express concern regarding the selection of
multiple standards for the same criterion, such as selection of two
clinical summary content standards--CCR and CCD. When two standards are
selected, vendors and providers have to choose to support one standard,
or instead, support both, which is very costly, resource intensive, and
minimizes interoperability capabilities across organizations. It is our
recommendation that only one standard is selected for each criterion in
future stages of Meaningful Use.
Our third area of concern is the timing of identifying and
publishing the selected standards in subsequent rules, which is
critical to ensure that the industry can appropriately incorporate the
standards into the product development and implementation cycle.
Thousands of EHR systems are currently being developed and upgraded by
vendors and implemented by healthcare providers. Recent statistics show
that sales of hospital EHR systems nearly doubled from 2008 to
2009.i To ensure optimal software development, testing, and
safe implementation by providers, the final rules for Meaningful Use
and certification criteria should be available 18 months before the
next stage of Meaningful Use commences.
ONC has published a Standards and Interoperability Framework and
has recently completed the long-awaited contracting process for
promoting interoperability and Meaningful Use. The goal of this
framework is to create a collaborative, coordinated, incremental
standards process that is led by the industry in solving real-world
problems. The selected contractors will each be working to complete
specific components of the framework, including use case development,
standards harmonization, implementation specifications, tools and
services. It is ONC's stated intent to leverage the health IT
community, professional organizations, government agencies and
standards organizations to ensure that all of their work comes down to
a harmonized set of standards and implementation specifications. It is
essential that ONC and its contractors deliver on this promise, and use
an open, transparent, coordinated process to engage the community and
leverage their collective efforts in order to maximize industry
involvement and ``buy in'' to the effort.
Going forward, a centralized and coordinated process is needed for
engaging SDOs and harmonization organizations, such as IHE, in meeting
the needs for interoperability and information security standards for
EHRs. While government can be an enabler for this standards
coordination process, a neutral and uniform approach is necessary to
ensure that the principles of transparency, openness, stakeholder
representation, healthcare leadership, industry engagement,
impartiality and balance, due process, consensus, relevance, and
effectiveness are maintained. A timely evaluation of the optimal
process for standards coordination is needed to address this urgent and
important need.
In this testimony, we have previously suggested that the open,
consensus-based and public domain work products of HITSP and IHE should
be leveraged to quickly, efficiently and cost effectively advance
standards for health IT. To this end, IHE is a global non-profit entity
that has, over the past decade, developed a framework for standards-
based interoperability of health IT systems that is being adopted and
implemented worldwide. Each IHE integration ``profile'' describes a
clinical requirement for systems integration and outlines a standards-
based solution to address it. IHE profiles address critical
interoperability issues related to information access for care
providers and patients, clinical workflow, security, administration,
transport and information infrastructure. IHE profile development
includes multiple opportunities for public comment review and feedback.
Vendors that implement IHE specifications participate in annual testing
events hosted in a structured and supervised environment, to ensure
compliance, and publish integration statements for their IHE-compliant
products prior to real-world implementation.
A number of THE transport profiles, such as Cross Community Access
(XCA), support the exchange of health information and documents across
communities and are being implemented in the Nationwide Health
Information Network and various regional health information exchanges
in the U.S. and worldwide. Reuse of these profiles in the U.S.
standards identification and development process will build on a
foundation of proven implementation guides that will accelerate
standards adoption and save valuable time and resources.
The second issue that we were asked to address is:
``What are the strengths and weaknesses of the current health
IT standards identification and development process, and what
should the top standards-related priorities be for future
health IT activities?''
HIMSS was pleased that the Final Rule established standards
criteria for supporting Stage 1 of Meaningful Use including:
Removal of All or Nothing
General relaxation of the requirements, specifically,
implementation of drug-drug and drug-allergy interaction checks
Maintenance of an active medication list
Addition of structured lab test results
Removal of LOINC code requirement
Removal of requirement to submit electronically in
Stage 1
Change to a core and menu objectives approach
Addition of a requirement to generate patient lists
by specific conditions
Expanded clinical quality reporting measures
Moved requirements to check insurance eligibility and
submit claims to Stage 2
Added guidance to expand capability to submit
electronic syndromic surveillance data to public health
agencies
Clarified numerous privacy and security criteria
Moved more aggressive requirements to Stage 2
Added appropriate implementation guidance
As discussed previously, we were disappointed that HHS did not
further leverage HITSP and other harmonization work, such as IHE.
Millions in federal taxpayer dollars and thousands of volunteer hours
by committed subject matter experts were expended on harmonization
efforts. Recognizing this work would have accelerated Meaningful Use
adoption. HIMSS urges the Centers for Medicare and Medicaid Services
(CMS), ONC and NIST to ensure that all contractual engagements for
standards harmonization and coordination efforts:
Incorporate HITSP and IHE work products and test
tools
Complement (versus duplicate) each agency's efforts
when creating testing procedures, testing tools & services, and
reference implementations
Embrace transparent and open consensus processes with
the private sector
The HITECH Act set the vision for transforming the healthcare
setting and these final rules are key components in implementing that
vision. To achieve HITECH's vision, we recommend that HHS address the
following:
Publish implementation guidance (such as IHE and
HITSP interoperability specifications) for all selected
standards
Publish data transport, financial transactions,
security and health information exchange standards as soon as
possible
Publish the process and schedule for harmonizing
standards and developing implementation specifications
Set up one repository (such as the National Library
of Medicine) for licensure and access to all standards and
implementation guides
Publish, as soon as possible, federal health IT best
practices guidelines
Finally, HIMSS urges HHS to publish criteria pertaining to Stage 2
Meaningful Use at least 18 months before the beginning of Stage 2. This
will enable sufficient time to develop, test, and deploy software
conforming to these standards and implementation guides so that all
eligible users can become meaningful users. Beyond the specific
concerns associated with the Standards, Implementation Specifications,
and Certification Criteria for Meaningful Use Stage 1, HIMSS is
concerned that Meaningful Use and interoperability will be hindered
without addressing two key areas, a patient identity solution and
security of personal health information.
In response to this question, I would also like to highlight an
important work product of one of HIMSS' many multi-stakeholder member
workgroups--the Patient Identity Integrity Workgroup. Last year, this
workgroup published a landmark white paper describing the challenges
and costly efforts healthcare organizations face every day in their
efforts to ensure the integrity (accuracy and completeness) of data
attached to or associated with an individual patient, including the
correct pairing or linking of all existing records for that individual
within and across information systems.
Obviously, patient identity integrity is of central importance to
achieving quality of care, patient safety, and cost control. In
addition, the primary goal for nationwide health information exchange
is to allow authorized users to quickly and accurately exchange health
information in an effort to enhance patient safety and improve
efficiency. Achieving this goal is dependent on the ability to link or
match multiple, disparate records relating to a single individual.
This white paper describes nine key influencers for improving data
integrity in this area. One key influencer listed is the need for
standards for patient identification data and format, and another has
to do with the need for a study of the current technical solutions
available to uniquely identify a patient. Using the results from the
study, we can anticipate the exponential exacerbation of problems and
errors with patient data matching in the health information exchange
environment and evaluate potential solutions. We can do this by having
current data on available technical capabilities as we formulate an
``informed patient identity solution,'' a position discussed in the
white paper and endorsed by the HIMSS Board of Directors.
Finally, I would like to highlight an annual HIMSS Security Survey
that examines in-depth information from healthcare organizations
regarding security implementation practices and technology uses. The
HIMSS Security Survey, now in its third year, analyzes the responses of
IT and security professionals from healthcare provider organizations
across the U.S. regarding the policies, processes and tools in place at
healthcare organizations to secure electronic patient data. The study
covers a multitude of topics regarding organizations' general security
environment, including access to patient data, access tracking, and
audit logs, use of security in a networked environment and medical
identity theft.
Last year, we probed our respondents with regard to their
preparedness and approach for meeting new privacy and security
requirements contained in ARRA, and we were privileged to provide
testimony to the HIT Standards Committee as to the results and trends
uncovered in this study.ii This year, we have partnered with
the Medical Group Management Association (MGMA) to include an even
larger population of ambulatory and medical group practices. The
results of this year's study will be available in early November, and
we would be happy to provide those results to the Subcommittee.
Closing
HIMSS is pleased to see these final federal rules and the ONC
Standards and Interoperability Framework and related contracts being
implemented in order to put into action legislative and executive
branch intent to transform healthcare using IT. Through our robust
member structure, we will continue to evolve our positions to reflect
the current needs of health IT professionals to improve healthcare
quality, safety, efficiency, and access for all. HIMSS believes that by
linking credible health IT principles emanating from our members' needs
and experiences, we will help our nation successfully transform
healthcare using effective IT.
Celebrating our 50-year history of serving the healthcare
community, HIMSS remains deeply committed to working with federal and
state leaders in a bipartisan manner to improve the quality, safety,
and efficiency of healthcare for all through the appropriate use of IT
and management systems. HIMSS members appreciate and understand the
cultural and technical challenges that healthcare providers face in
meeting the requirements for Meaningful Use.
In closing, I'd like to highlight a few health IT initiatives
within HIMSS that aim to recognize best practices in the use of health
IT and measure the level of EHR adoption throughout the U.S. These
initiatives will be critical reference points in evaluating the success
of the HITECH Act in transforming the way we do healthcare. To
recognize healthcare's excellence in using IT to improve access,
safety, quality and efficiency, the HIMSS Nicholas E. Davies Awards of
Excellence iii recognizes management, functionality,
technology and value--the pillars of health IT success. Objectives of
the Davies program include promoting the vision of EHR systems through
concrete examples; understanding and sharing documented value of EHR
systems; providing visibility and recognition for high-impact EHR
systems; and sharing successful EHR implementation strategies.
The awards focus on four healthcare settings: organizations,
ambulatory sites, public health, and community health organizations.
Since 1994, the Davies program has honored 71 healthcare organizations,
private practices, public health systems, and community health
organizations that have implemented health IT, specifically EHRs, in
their respective locations. I invite members of the Subcommittee to
visit HIMSS' State HIT Dashboard iv to locate Davies winners
in or near your Districts. Mr. Chairman, I'm pleased to report that
there are two Davies winners in your home state of Oregon: Kaiser
Permanente Northwest in Portland,v and the Indian Health
Service in Warm Springs.vi
Next, I would like to highlight the HIMSS Analytics' EMR
Adoption ModelSM (EMRAM).vii Knowing the baseline
of current adoption of health IT is critical to understanding the
realities at U.S. hospitals and the federal government's EHR adoption
goals. According to quarterly health IT implementation census data from
HIMSS Analytics, the use of health IT among healthcare providers has
steadily increased over the past four years.
Using a census survey, HIMSS Analytics' EMRAM tracks adoption of
EMR applications within all 5,217 U.S. civilian hospitals and health
systems and scores hospitals based on their progress towards meeting
the criteria for various stages within the Model. There are eight
stages for hospitals, ranging from 0 to 7, as they move to a completely
electronic environment (Stage 7); at the pinnacle of the model, paper
charts are no longer used in the delivery of patient care.
As of June 2010 viii:
16.3 percent of U.S. hospitals (850 of 5,217) have
achieved ``Stage 4'' or higher of the Adoption Model. This is
up from 3.7 percent in December 2006.
Another 50.2 percent of U.S. hospitals (2,621 of
5,217) have achieved ``Stage 3.''
As it has for the past six years, HIMSS Analytics will continue to
gather data and release quarterly updates of its census-based survey,
shedding light on EHR adoption levels.
Driving the appropriate use of health IT will improve patient
safety and the quality, accessibility, and cost-effectiveness of
healthcare. Thanks to our informed and committed member volunteers,
HIMSS will be a leader in the transformation. HIMSS looks forward to
working with the legislative and executive branches in helping to
ensure that the components of the HITECH Act are appropriately
implemented. HIMSS actively equips its members with the knowledge and
tools they need to successfully navigate these regulations, including
FAQs, white papers, and educational webinars.ix
Again, it was a pleasure to be with you today before this
Subcommittee and alongside these distinguished panelists. I would be
happy to answer questions that members of the Subcommittee may have and
look forward to providing our members' expertise to help you transform
healthcare in the U.S. Thank you for this opportunity.
i CIS Purchase Decisions: Riding the ARRA Wave. Klas.
August 2010. Available at: http://www.klasresearch.com/Store/
ReportDetail.aspx?ProductID=589
ii http://www.himss.org/content/files/
HIMSS2009SecuritySurveyReport.pdf
iii http://www.himss.org/davies
iv http://www.himss.org/statedashboard
v http://www.himss.org/davies/pastRecipients--org.asp
vi http://www.himss.org/davies/pastRecipients--ph.asp
vii http://www.himssanalytics.org/hc--providers/emr--
adoption.asp
viii http://www.himssanalytics.org/stagesGraph.html
ix http://www.himss.org/economicstimulus
Biography for Joyce Sensmeier
Joyce Sensmeier is Vice President of Informatics for HIMSS, the
largest U.S. not-for-profit healthcare association focused on providing
global leadership for the optimal use of information technology. HIMSS
represents more than 31,000 individual members, 470 corporate members
and 30 not-for-profit organizations that share its cause-based mission.
Sensmeier joined HIMSS as the Director of Professional Services in
2000. In her current role she is responsible for the areas of clinical
informatics, standards, interoperability, privacy and security.
Sensmeier became Board Certified in Nursing Informatics in 1996, earned
the Certified Professional in Healthcare Information and Management
Systems in 2002, and achieved HIMSS fellowship status in 2005. She is
an adjunct faculty member in the School of Nursing at Johns Hopkins
University in Baltimore. She previously served at Palos Community
Hospital in Palos Heights, Illinois as a nursing coordinator leading
clinical information system implementations.
Sensmeier has made contributions to enabling health information
exchange through standards profiling and harmonization initiatives. She
led advancement of Integrating the Healthcare Enterprise (IHE), an
international standards profiling organization which, over the past
decade, has achieved both regional and international adoption of its
public domain technical framework. She is President of IHE USA, and
previously served as the Standards Implementation Technical Manager for
the Healthcare Information Technology Standards Panel (HITSP).
An internationally recognized speaker and author of multiple book
chapters, articles and white papers, Sensmeier was recognized in 2010
as a fellow with the American Academy of Nursing, a credential held by
1,600 nursing leaders throughout the world. She is co-founder and co-
chair of the Alliance for Nursing Informatics, a collaboration of 27
distinct nursing informatics organizations that represents a unified
voice for nursing informatics professionals.
Sensmeier received a BSN from Elmhurst College and a Masters degree
in Nursing Administration from St. Xavier University, both in Illinois.
Chairman Wu. Thank you.
Dr. Gibson, please proceed.
STATEMENT OF RICHARD GIBSON, PRESIDENT, OREGON HEALTH NETWORK
Dr. Gibson. Chairman Wu, Ranking Member Smith, good morning
and thank you for the opportunity to discuss health information
technology standards. My name is Richard Gibson. I am a
practicing family physician and former emergency physician and
have nearly 20 years of experience in health information
technology.
On the status of current standards, the Meaningful Use
final rule has been well received by providers. We applaud the
Office of the National Coordinator and the Centers for Medicare
and Medicaid Services for seriously considering the many
comments received over the past nine months. They have been
extraordinarily responsive in making rules as straightforward
and as pragmatic as possible while still moving the country
forward to electronic health records that promise to improve
the quality and consistency of health care.
Concerning the standards-related priorities for the future,
my comments will go to the area of helping small practices in
the short term to connect to each other directly while we await
the more complete and widespread health information exchange.
We need a standard for transmitting provider text notes.
Providers expect to be able to review the text reports produced
by other providers. Historically, these text reports have been
produced by transcribing notes that physicians dictated, say,
for an office visit, a consultation note, a surgical procedure
and the like. We need a specific continuity-of-care document or
continuity-of-care record for these text documents to be most
useful for patient care.
We need a standard for exporting and importing patient
information directly between EHRs and directly provider to
provider. Meaningful Use stage 1 does not require EHRs to have
the ability to export and import patient information directly
to and from other EHRs. As clinicians move to electronic health
records, we need to enable our EHRs to transfer patient
information as easily as fax machines accomplish that transfer
now. The office staff needs to be able to press a button to
send information to the next physician. This concept and the
next two have been promulgated by Wes Rishel at Gartner and
have led to the NHIN [Nationwide Health Information Network]
Direct Project.
We need a standard directory for health Internet addresses.
After a provider decides to refer the patient to another
physician, the provider or her staff member could go onto the
Internet and search for the provider's authenticated health
Internet address. This could be entered into the sending
physician's electronic health record, which would send an
encrypted packet of information directly to the receiving
physician's electronic health record. Later, states will need a
record locator service so that emergency departments can pull
data from the patient's previous providers.
We need a standard for document transfer that can
accommodate providers still on paper records. It will be years
before all providers have electronic health records. We need a
standard that sends patient information like an e-mail
attachment so that providers on paper records can still print
the information. Once they do get an EHR, the same attachment
could be imported into that EHR.
We need an EHR functionality requirement for quality
measure reporting. Smaller practices under the current rules
would likely need to seek the help of consultants to produce an
acceptable quality measures report. This reporting needs to be
a core EHR function specified by a consistent nationwide
requirement so that providers in any practice can again press a
button to produce submission-ready reports on a chosen measure.
We need a national model for privacy and patient consent.
In Portland, we often see patients from southwest Washington.
Having significantly different privacy laws between Washington
and Oregon would lead to uncertainty, missed information and
the unnecessary duplication of diagnostic testing. We need a
federal effort to convene, sponsor, and mandate development of
model rules and laws that each state could take through its own
legislative process. We need to set appropriate expectations on
provider access controls to patient information. In our largely
fee-for-service health care system, one cannot exactly predict
which doctor or nurse may take care of them on any given
occasion. Our model needs to set the expectation in the
patient's mind that it is not possible to predict precisely who
will need access to their record in the course of their care.
Finally, we need a model for the complete health record
being available to the provider. Although the provider can
infer some of the patient's diagnoses from a medication list
and allergy list alone, it is crucial that providers see all
the medications and allergies when they prescribe. Without this
guarantee, patients could be hurt. Similarly, providers need
access to the full laboratory and imaging reports when they are
trying to make a diagnosis. Redacting these data because they
imply a certain restricted diagnosis is unsafe and could
ultimately result in physical harm to the patient.
Chairman Wu and Ranking Member Smith, thank you for the
opportunity to testify on these important issues. I would be
happy to answer any questions you may have.
[The prepared statement of Dr. Gibson follows:]
Prepared Statement of Richard Gibson
Chairman Wu and Members of the Subcommittee, good morning and thank
you for the opportunity to discuss health information technology
standards, current status and future needs. My name is Richard Gibson.
I am President of Oregon Health Network. I am a practicing, board-
certified family physician, and a former board-certified emergency
physician. I have nearly 20 years' experience in health information
technology, including working with several major hospital systems and
Oregon health information exchange planning efforts.
SUMMARY OF RECOMMENDATIONS
During my testimony I will offer my opinion on the current status
of recent standards, discuss challenges to EHR adoption, and make the
case for the following new national standards:
A standard for transmitting provider text notes.
A standard for exporting and importing patient
information directly between EHRs and directly provider-to-
provider.
A standard directory for Health Internet Addresses.
A standard for document transfer that can accommodate
providers on paper records.
A standard EHR functionality requirement for quality
measure reporting.
A national model for privacy and patient consent,
access control, and availability of the entire health record.
STATUS OF CURRENT STANDARDS
Meaningful Use Final Rules Are Well Received
The delivery of the Final Rule on the CMS EHR incentive program has
been well received by the provider community. As far as Stage l of the
Meaningful Use objectives and measures, the uncertainty is now over.
This is been enormously helpful to providers. We applaud the
consideration that the Office of the National Coordinator and CMS have
shown to the many comments received over the past six months. This
office has been extraordinarily responsive in making rules as
straightforward and pragmatic as possible while still moving the
country forward to electronic health records that actually improve the
quality and consistency of healthcare. We very much appreciate the
obvious collaboration between the Office of the National Coordinator
and the Centers for Medicare and Medicaid Services and would encourage
continued coordination among all federal agencies working in health
information technology to achieve the needed improvement goals in
public health, mental health, and long term care through health
information exchange.
In particular, the use of Core Requirements and Menu Set
Requirements for Meaningful Use, in place of the ``all or nothing''
approach was very helpful in giving providers and EHR vendors some
flexibility in meeting Stage 1 Meaningful Use criteria. It is also very
helpful to providers and vendors to set the expectation that Stage 1
Menu Set Requirements will become Core Requirements in Stage 2. Vendors
and providers now know what to plan for over the next several years.
The Meaningful Use Final Rules have provided structure and organization
in electronic health records, previously characterized by a
disorganized marketplace where individual products could not
communicate effectively with each other.
The HITECH Act Has Ushered Great Progress
EHR vendors now have a clear roadmap for the next two years of what
will be required of their software as a minimum for clinician adoption.
They know what workflows need to addressed by the EHR. The vendors know
the capabilities required of their EHR software in order for it to be
certified. Some current EHR products may not be able to achieve
certification. Clinicians now know that financial support is available
if they use certified EHRs and demonstrate their meaningful use.
Clinicians understand how their use of EHR will be measured. The HITECH
Act has done as much as it can to remove uncertainty in clinicians'
minds about whether or not to pursue an EHR. Enough of the EHR
incentive variables are now known for providers, hospitals, and health
systems to make reasoned choices about when and how they will acquire
an EHR. The HITECH Act has brought focus and consistency to EHR
adoption. It is now clear what needs to be done, even if it is not
quite as clear how long it will take.
CONCERNS ABOUT ADOPTION OF ELECTRONIC HEALTH RECORDS
Adoption of EHRs is a Prerequisite for Interoperability
We have an enormous effort still ahead of us. Before going on to
the specific standards that are the topic of today's hearing, we need
to acknowledge that the standards have relatively little application
unless individual healthcare providers have electronic health records
in the first place. Most of the more than 400,000 Eligible
Professionals still need to acquire an electronic health record, and
most of that effort will be in small physician offices. CMS has
estimated the five-year cost of acquiring an electronic health record
for an eligible professional to be $94,000. EHR incentive plans through
Medicare and Medicaid will cover 47 to 67% of that estimated cost. As a
general rule, EHRs still do not allow providers to see more patients in
a day, spend more quality time with their patients, or guarantee better
or more consistent health outcomes for their patients. In short, even
with the generous EHR incentive program, there still may not be a
sufficient financial rationale for individual providers or small
practices to invest in electronic health records.
Implementing an EHR is Stressful for the Provider
Implementing electronic health records in small physician offices
is not like purchasing a copy machine or a fax machine. In addition to
the great capital expense, the EHR is markedly disruptive to both the
clinical and administrative functions of the office. Every provider,
medical assistant, receptionist, and billing staff member needs to
change the way they do their work. Even with excellent training, it
usually takes 2-12 months before providers are fully comfortable on
their new tools. On a new EHR, each office visit takes longer--this
means increased waiting times for patients or a fewer number of
patients per day for the provider. It is not uncommon for providers on
a new EHR, after a full 8-10 hour day of seeing patients, to finish
their charts on the computer at home for three or four hours in the
evening. Even those providers who believe in the patient care benefits
of an EHR are exhausted by the process in the first year.
EHRs Viewed Unfavorably by Many Providers Because of Administrative
Documentation
Many providers who do not yet have EHRs in their office have
commented to me how much they dislike the output received from many
other physician office EHRs or from hospital EHRs. They specifically
complain about how many pages these EHR reports require and how
difficult it is to find the small bit of useful clinical information
within. Upon investigation, most of this low-value verbosity comes from
physicians documenting specific history and physical exam findings
required to support their billing. Also, as medicolegal requirements
ratchet up, clinicians feel a need to document with a date-time stamp
every single finding and every single item of data that they have
reviewed. The existing cumbersome EHR reports impair the clinical
process and can put the patient at risk by making important information
obscure. Clinicians criticize the EHR for this clumsy reading even
though the cause lies with our current payment and administrative
systems, and not the EHR itself, which is otherwise widely agreed to be
highly legible. Most clinicians would prefer to go back to simpler
charting that more closely reflects their thought process. These EHR
changes will need to await payment reform.
IT Professionals with Multiple Skills Needed for EHR Implementation
Another challenge in implementing electronic health records in
small provider offices is the lack of technical expertise and support
for the office. The providers are busy with a full schedule seeing
patients. Medical assistants are putting patients in rooms or they are
continuously on the phone with patients. Front office staff members are
trying to make appointments and handle incoming calls. The billing
staff is overwhelmed with insurance paperwork. Most providers and
staff, especially those in small practices, don't have time to become
fluent in the use of the new system, much less become expert in
training others to use the system. Typical small physician
implementations start two to three months before the expected launch
date of the software. All current paper-based workflows need to be
examined and re-designed for the new software. This requires analysts
who are not only familiar with software but familiar with the
healthcare office process. Bringing the majority of the 400,000
Eligible Professionals up to speed on an EHR in the next several years
will be challenged by a lack of IT implementation professionals.
EHR Technical Requirements Can Be Challenging for Smaller Practices
Small physician practices are already spending 40-60% of their net
revenue on overhead. Space in small physician offices is at a premium
and providing a physically locked computer space within the physician
office is difficult. Physician offices do not typically have the
technical expertise to manage the computers in the clinical areas as
well as the office computer network and the larger computers that act
as servers and tape backup for the EHR software. Hosting provider EHRs
on centralized servers supporting multiple practices may address this
concern, but many of the currently used office EHRs are not yet ready
for this step-up in technology. Many small towns do not have local
computer hardware professionals to support physician offices. The
Regional Extension Centers (RECs) exist to assist physicians in this
context but even with generous funding, the RECs will be challenged to
meet the enormous demand in the next several years.
STANDARDS-RELATED PRIORITIES FOR THE FUTURE
A Standard for Transmitting Provider Text Notes
When providers care for patients as a team, they expect to be able
to review the patient's relevant laboratory results, diagnostic imaging
reports, diagnostic images, and text reports that have been produced by
other providers. Historically these text reports were produced by
transcribing notes that physicians dictated for an office visit, a
consultation note, a surgical procedure, and the like. These text
reports are crucial for the coordination and transfer of care among
providers. One of the Meaningful Use Core Requirements for Eligible
Professionals calls for the capability to exchange ``Key Clinical
Information'' among providers and gives examples of such data. The
Requirement leaves the interpretation of ``key clinical information''
up to the provider. The HITECH Act specifies that the content standard
for a patient summary will be the Continuity of Care Document (CCD) or
Continuity of Care Record (CCR). These two documents have 17 sections
containing mostly lists but there is no standard CCD or CCR for the
specific text documents most useful for patient care. Physician office
EHRs and hospital EHRs need to be able to export and import CCDs or
CCRs specifically created for these crucial physician-authored reports.
A Standard for Exporting and Importing of Patient Information Directly
Between EHRs and Directly Provider-to-Provider
As noted above, health information exchange is predicated upon
providers having electronic health records. Oregon is currently
developing a statewide plan for the operation of local, regional, or
statewide health information exchanges. There is discussion as to what
health information should be exchanged and how that exchange should be
managed, for example, directly from provider to provider or from
provider to central information exchange to another provider. There are
pros and cons of these two ends of the spectrum. Three points need to
be made here. First, even if one has a centralized health information
exchange (HIE) the EHR still needs to export and import the common
patient information such as laboratory reports, diagnostic imaging
reports, diagnostic images, and provider text reports from the HIE. The
HITECH Act already specifies the content standard for most of these
data types but Meaningful Use Stage 1 does not require EHRs to use this
function. Second, HIEs are not yet well established. Complex
centralized patient data repositories serving as HIEs are likely to be
expensive to build and maintain and it may take a number of years
before most providers have access to an affordable HIE of this nature.
Third, central clinical data repositories may not be as trusted by
patients as direct exchange of information from one provider known by
the patient to another provider known by the patient. EHRs that can
directly export and import data are required even if HIEs are present,
and such EHRs have the added benefit that they can be used among
providers when an HIE is not available. The next round of regulations
needs to require that EHRs can export and import these data types
directly to and from other EHRs without requiring a central health
information exchange.
It should be noted that importing clinical data from an outside EHR
into one's own EHR will be very challenging technically and culturally.
Typical use of a CCD or CCR has them displaying the outside information
in the equivalent of a ``Correspondence'' section of the electronic
record. This is certainly better than having no information at all, but
if we wish physicians to order less duplicate testing, we will need to
devise technical standards where the results of an outside diagnostic
test appear in the EHR results table very close to the internally-
obtained test results.
Most ambulatory care in this country is delivered by providers in
the patient's local area. Providers in each specialty are likely to
know their colleagues in the other specialties from whom they receive
and to whom they send consultation requests. Much of the time these
consultation requests are arranged by the provider or by one of his/her
staff members. In a paper world this is conveniently handled by a phone
call and/or faxing of the clinical documents. The Receiving Physician
is very appreciative of having organized patient information from the
Sending Physician ahead of the patient arriving in the Receiving
Physician's office. As clinicians move to electronic health records, we
need to enable our EHRs with the ability to transfer patient
information as easily as fax machines accomplish that transfer now. The
Sending Physician knows what data need to go ahead of the patient. All
EHR vendors need to provide this export/import function at the point of
care for use by office staff This concept and the next two have been
promulgated by Wes Rishel at Gartner and have led to the NHIN Direct
Project.
A Standard Directory for Health Internet Addresses
If providers are going to electronically export patient information
for immediate use by another provider, they will need to have a system
of Health Internet Addresses and provider directories. A Certificate
Authority will need to be established that can guarantee the
authenticity of a provider's Health Internet Address. After a provider
decides to refer the patient to another physician, whether next-door or
in another state, the provider or his/her staff member could go onto
the Internet and search for the provider's authenticated Health
Internet Address. This could be entered into the provider's EHR, which
would send an encrypted packet of provider text reports (for example,
Office Visit Notes), recent laboratory results, diagnostic imaging
reports, and diagnostic images to the Receiving Physician's EHR, which
would similarly import the patient information. Both provider offices
would be assured of immediate transmittal and receipt and the
authenticity of the providers' identities. A state, regional, or
national body could provide a similar function by building a Master
Provider Index. For the basic function of a provider pushing patient
information to another provider, there is not a need for a centralized
clinical data repository. In the longer run, we need a method where an
emergency department, for example, could pull patient data from other
providers and hospitals when the patient or family member is unable to
say where he or she has been cared for previously. This would require
the more complex function of a Record Locator Service, which would keep
track of the disparate electronic sources of a patient's clinical data.
A state or regional organization could furnish a Record Locator
Service.
A Standard for Document Transfer That Can Accommodate Providers on
Paper Records
It will be years before all providers have electronic health
records. For the next few years, providers will need to be confident
that they can manage patient information to support patient care
whether the Sending Physician or the Receiving Physician, or both, or
neither, is on an EHR. Imagine the Sending Physician has an EHR that
produces a concise, thorough patient information document. The Sending
Physician looks up the Receiving Physician's Health Internet Address
and sends the document directly from her EHR like an attachment to an
e-mail. The Receiving Physician, unbeknownst to the Sending Physician,
does not have an EHR. No problem--he receives the document as an
attachment to a secure e-mail, prints it out, reviews it, and includes
it in his paper charts. Once he acquires a certified EHR, he will be
able to import the document easily without resorting to printing. We
need a transfer standard that is human readable and that is flexible in
terms of the technology required on the receiving end.
A Standard EHR Functionality Requirement for Quality Measure Reporting
The Standards and Certification Criteria Final Rule is clear about
what quality measures Eligible Professionals will submit as part of the
Core Requirements. I appreciate the ONC making these measures
consistent with the Physician Quality Reporting Initiative. Although
the data elements for figuring the numerators, denominators, and
exclusions of each measure are clear, many EHRs will have difficulty in
getting their EHR software to produce these numbers automatically.
Business intelligence tools built into most EHRs are currently
immature. Smaller practices would likely need to seek the help of
consultants in order to produce an acceptable report from their EHR.
The necessary clinical data should be present in a certified EHR but
smaller EHR vendors will be challenged to include adequately
sophisticated report writing tools in their products that can be used
directly by clinicians. Quality measure reporting needs to be a core
EHR function specified by a consistent nationwide requirement, so that
providers in any practice can press a button to produce submission-
ready reports on a given measure.
A National Model for Privacy and Patient Consent
Currently Oregon is trying to establish health information exchange
privacy and patient consent standards for use within the state. I
applaud these efforts but think that EHR adoption would be much
enhanced by having consistency in privacy and patient consent across
all 50 states. In Portland we often see patients from Southwest
Washington. In the course of a busy office day, clinicians need access
to previous records. Having significantly different privacy laws in
Washington versus Oregon would lead to uncertainty, missed information,
and unnecessary duplication of diagnostic testing. Currently, providers
may exchange health records for purposes of payment, treatment, and
operations without explicit patient consent. If it is decided that a
patient needs to specifically consent to have their provider send or
retrieve their health information, then we need a standard so that any
vendor's EHR can effectively communicate the obtained patient consent
with any other vendor's EHR in any other state. We need a federal
effort to convene, sponsor, and mandate development of model rules and
laws that each state could take through its own legislative process. A
``Uniform Privacy Code,'' as it were, like the Uniform Building Code,
would provide interstate consistency and give EHR vendors confidence
that their software would perform consistently wherever it is used.
Setting Appropriate Expectations on Provider Access Control to Patient
Information
About six years ago at Providence Health and Services in Oregon, we
looked at the access to the electronic chart for a typical four-day
hospital stay. More than 65 different people had appropriate access to
the patient's chart during and after their hospital stay. Depending on
their role, some staff members had access to only a part of the
patient's information. It is unpredictable which provider will need
immediate access to a patient's chart at any given time. On a hospital
floor, a physician might ask a colleague to take a look at her patient.
The Receiving Physician walks right over to the computer and begins to
examine the patient's information. Nurses frequently are called from
one unit to another according to the ebb and flow of patient census and
they need immediate access to the records of that unit's patients. The
nature of fee-for-service healthcare makes it difficult to predict who
will be taking care of the patient next. As an emergency physician, I
would see people on Saturday night and refer them to the orthopedist to
be seen first thing Monday morning. When they show up at the
orthopedist's office, that doctor or her partner needs immediate access
to the full electronic health record even though they have never seen
the patient before. Our model needs to set the expectation in the
patient's mind that it is not possible to predict exactly who will need
access to their record in the course of their care. To balance these
relatively open provider access controls, I do believe we have an
opportunity to involve the patient in reviewing the log of who looked
at their records. Most confidentiality breaches in electronic health
records are associated with people who have approved access to a given
electronic health record system but use their access inappropriately in
looking up information of a friend or colleague for whom they are not
caring.
A Model for the Complete Health Record Being Available to the Provider
Access to the entire health record is important for providers
taking care of patients. It is crucial that providers see the entire
medication list, the entire allergy list, the entire problem list,
pertinent laboratory results, and diagnostic imaging studies. Although
the provider can infer some of the patient's diagnoses from the
medication and allergy lists, it is crucial that providers see all the
medications and allergies when they prescribe. Without this guarantee,
the patient could be hurt when a physician prescribes a medication that
interacts with one that they are already taking or to which they have
developed an allergy in the past. Most physicians would be very
uncomfortable practicing in an environment where some information about
the patient in front of them may have been redacted. Similarly,
providers need access to the complete laboratory reports and diagnostic
imaging results when they're trying to make a diagnosis. Hiding these
data because they imply a certain ``restricted'' diagnosis is unsafe
and could ultimately result in physical harm to the patient. I
acknowledge that most providers do not need to see the office visit
notes from sensitive psychotherapy sessions and these parts of the
records should be restricted to the mental health therapists only.
Everyone else needs to see the full health record.
CONCLUSION
In summary, The HITECH Act and the Meaningful Use regulations have
dramatically accelerated interest in electronic health records. The
proposed standards have assured clinicians and EHR vendors of a level
playing field where EHRs will ultimately be able to communicate with
each other. The regulations appropriately require evidence not just of
EHR implementation, but of improved intermediate healthcare outcomes. I
respectfully request that the next round of standards builds on the
progress of the current standards. Let national standards enable our
small physician offices to communicate directly with each other using
tools that can be mastered by the provider or office staff. We need a
specific transfer standard for the most crucial provider-authored text
notes. National regulations must require that EHRs can directly send
and receive patient information initiated by the office staff at the
point of care using the equivalent of e-mail attachments and Health
Internet Addresses while we wait for more complex exchange methods to
be developed. These tools can be used by physician offices still on
paper records as they prepare to move to an EHR. Finally, we need a
national privacy and patient consent model for states to use creating
their own legislation so that patients and providers can be confident
that clinicians always have all the information in front of them that
they need to provide consistently superior care.
Chairman Wu and Members of the Subcommittee, thank you for the
opportunity to testify on these important issues. I would be happy to
answer any questions you may have.
Biography for Richard Gibson
Richard Gibson is President of Oregon Health Network, a nonprofit
using Federal Communications Commission funds to extend a medical-
grade, high-bandwidth network to all Oregon hospitals, community
colleges, and clinics for the underserved. He is a practicing family
physician and former board-certified emergency physician. Previously he
was Senior Vice President and Chief Information Officer for Legacy
Health, an integrated delivery network in Portland, Oregon. Before that
he was Chief Medical information Officer for Providence Health and
Services, Oregon Region, also an integrated delivery network in
Portland, Oregon.
Dr. Gibson practiced family medicine in Forks, Washington, a
logging town of 3,000, four hours west of Seattle. He was an emergency
physician in Port Angeles, Washington, a community of 20,000 three
hours west of Seattle. He received a BS in Biology from Stanford
University and an MD from Case Western Reserve University in Cleveland.
He holds a PhD in Medical Informatics from the University of Utah and
an MBA from The Wharton School.
Outside of practicing medicine, Dr. Gibson has spent his
information technology career helping physicians, health systems, and
independent software vendors acquire, develop, and implement electronic
health records for use in physician office and hospital settings. He
has advised the State of Oregon in electronic health records, health
record privacy and security, health information exchange, and
telemedicine.
Chairman Wu. Thank you very much.
Ms. McGraw, please proceed.
STATEMENT OF DEVEN MCGRAW, DIRECTOR OF THE HEALTH PRIVACY
PROJECT, CENTER FOR DEMOCRACY AND TECHNOLOGY
Ms. McGraw. Okay. Thank you. Chairman Wu, Ranking Member
Smith and the staff. I really, very much appreciate the
invitation to testify before you on the privacy and security
challenges raised by widespread adoption of health IT.
What we do at CDT is develop and promote pragmatic privacy
and security policy and technology solutions for a health
system that we really hope will be increasingly characterized
by electronic health information exchange to improve individual
as well as population health, and I also chair the Health IT
Policy Committee's privacy and security team that Dr.
Blumenthal mentioned, and I appreciate the thanks. We are in a
very good place, I think, for making some progress on these
issues.
We know from survey data that the public is actually quite
enthusiastic about what we are doing with health IT but they
also express, in equal numbers, concern about privacy. You
can't have one without the other. Essentially, privacy is not
the obstacle to doing all this and getting it done; it is the
enabler, and we need to consider it that way and pay it serious
attention, and clearly this Subcommittee agrees or you wouldn't
have asked me here today in a hearing that is largely about
standards. And we will talk about security standards because
that is where standards really come into focus, probably less
so on the privacy side.
We do have the privacy and security regulations of HIPAA,
and of course states have laws as well, and those are the
baseline, but we are really changing the way we are going to be
moving health information and setting up new infrastructures
and so we have to consider what we need to layer on top of what
we already have, and in addition, we are talking about health
information technology, not just protecting health information,
and so we need to think about the strong role that technology
can actually play in helping us to accomplish a comprehensive
and flexible framework of privacy and security protections that
will build that trust layer that will enable us to go forward.
As I mentioned before, we are in a much better place than
we were a few years ago when we were arguing about privacy. We
are still arguing about it but we actually, the work that
Congress did in the HITECH legislation has pushed us
tremendously forward, and in addition, the financial incentives
that are part of the HITECH incentive program give us
additional policy levers to really push us into a better place
with respect to privacy and security.
We still do have gaps to address, of course. You know, this
is not something that is never done. We need to be continuously
paying attention to this, and so I am going to talk a little
bit about security and I am going to give some credit to one of
my panelists from HIMSS. They did a survey fairly recently of
large health care organizations that indicated that security is
far less of a priority than we would hope. Just to lay out some
examples, fewer than half conduct the annual risk assessment
that the HIPAA security rule requires. Fifty-eight percent of
these organizations say they actually don't have security
personnel, and 50 percent reported spending three percent or
less of their resources on security. And again, this is a
survey of large organizations and not small practices, although
as you will see in HIMSS' written testimony, they are doing
this survey next, I think. Those will probably be some very
sobering numbers but they are a lesson for us. We really need
to be quite serious about this. When you think about what the
root is of the public's concern, a lot of it is about
inappropriate access to records, for which security is a
primary gatekeeper.
Now, we know that with respect to what an electronic health
record has to have in order to be certified, there are
functionalities that have to be present, and Dr. Blumenthal
mentioned some of these--the ability to encrypt data, the
ability to generate an audit trail, but there is actually no
clear requirement to use the functionalities. The HIPAA
security rule is very flexible. It says that some of them are
addressable. Similarly, in Meaningful Use, you have to conduct
a risk assessment and address any deficiencies, but here you
have the functionalities in the record and we are not are being
terribly clear with providers about using them. I think that is
a major deficiency. We need to raise our expectations certainly
with respect to small providers. You know, a piece of health
data is sensitive no matter who is holding it, whether it is a
large institution or a single physician practice. But in terms
of the level of resources that the smaller physician practices
can put into this, clearly we need something that is scalable
and something that works for them now with a glide path to
greater expectations down the road.
So I am reaching the end of my time. My written testimony
has a number of other gaps that I have discussed there,
including the HIPAA deidentification standard. We are seeing an
increasing emphasis on access to and use of deidentified data
for a range of purposes. Certainly when data is deidentified,
stripped of identifiers, it is much more privacy protective,
but we actually don't have a legal prohibition against
reidentification that we can enforce, and that is something
that Congress could actually do to really help secure trust.
Again, the deidentified data issue is a big one. HHS is doing a
study. I think after that comes out, we ought to talk seriously
about what the right next steps are.
So I am going to close. I had a real ambitious oral
statement here for five minutes. As I noted before, assuring
privacy and security to the level where we have the trust of
the general public in what we are trying to build here really
is an ongoing commitment and the fact that you have put privacy
and security on this agenda, even two years after HITECH when a
lot of people are saying, ``didn't we do this already?'' shows
that you agree, which is terrific.
So thank you again for the opportunity and I am happy to
answer any questions that you might have.
[The prepared statement of Ms. McGraw follows:]
Prepared Statement of Deven McGraw
Chairman Wu and Members of the Subcommittee:
On behalf of the Center for Democracy & Technology (CDT), I thank
you for the opportunity to testify today.
The Center for Democracy and Technology (``CDT'') is a non-profit
Internet and technology advocacy organization that promotes public
policies that preserve privacy and enhance civil liberties in the
digital age. As information technology is increasingly used to support
the exchange of medical records and other health information, CDT,
through its Health Privacy Project, champions comprehensive privacy and
security policies to protect health data. CDT promotes its positions
through public policy advocacy, public education, and litigation, as
well as through the development of industry best practices and
technology standards. Recognizing that a networked health care system
can lead to improved health care quality, reduced costs, and empowered
consumers, CDT is using its experience to shape workable privacy
solutions for a health care system characterized by electronic health
information exchange.
You have asked me to address, in particular, the main challenges
for personal privacy and information security presented by health
information technology (health IT), as well as the privacy and security
gaps and priorities that remain to be addressed for future health IT
activities. Not surprisingly, the main privacy and security challenges
in health IT result from gaps in current law and a lax approach to
enforcement, accountability and oversight. My testimony below focuses
on those gaps. However, since the broad topic of the hearing deals with
health IT ``standards,'' I have referenced some comments endorsed by
CDT urging a measured role for government in setting and enforcing
standards for health IT.
Introduction
Survey data consistently show the public supports health IT but is
very concerned about the risks health IT poses to individual
privacy.\1\ Contrary to the views expressed by some, privacy is not the
obstacle to health IT. In fact, appropriately addressing privacy and
security is key to realizing the technology's potential benefits.
Simply stated, the effort to promote widespread adoption and use of
health IT to improve individual and population health will fail if the
public does not trust it.
---------------------------------------------------------------------------
\1\ National Consumer Health Privacy Survey 2005, California
HealthCare Foundation (November 2005); study by Lake Research Partners
and American Viewpoint, conducted by the Markle Foundation (November
2006); Consumer Engagement in Developing Electronic Health Information
Systems, AHRQ Publication No. 09-0081EF (July 2009).
---------------------------------------------------------------------------
To build and maintain this trust, we need the ``second generation''
of health privacy--specifically, a comprehensive, flexible privacy and
security framework that sets clear parameters for access, use and
disclosure of personal health information for all entities engaged in
e-health. Such a framework should be based on three pillars:
Implementation of core privacy principles, or fair
information practices; \2\
---------------------------------------------------------------------------
\2\ Although there is no single formulation of the fair information
practices or FIPs, CDT has urged policymakers to look to the Markle
Foundation's Common Framework, which was developed and endorsed by the
multi-stakeholder Connecting for Health Initiative. See http://
www.connectingforhealth.org/commonframework/index.html.
Adoption of trusted network design characteristics;
---------------------------------------------------------------------------
and
Strong oversight and accountability mechanisms.\3\
---------------------------------------------------------------------------
\3\ See ``Policy Framework for Protecting the Privacy and Security
of Health Information,'' http://www.cdt.org/paper/policy-framework-
protecting-privacy-and-security-electronic-health-information (May
2008); ``Beyond Consumer Consent: Why We Need a Comprehensive Approach
to Privacy in a Networked World,'' http://www.connectingforhealth.org/
resources/20080221-consent-brief.pdf (February
2008).
This requires building on--and in some cases modifying--the privacy
and security regulations under the Health Insurance Portability and
Accountability Act (HIPAA) so that they address the challenges posed by
the new e-health environment. It also requires enacting new rules to
cover access, use and disclosure of health data by entities outside of
the traditional health care system and stimulating and rewarding
industry implementation of best practices in privacy and security.
In a digital environment, robust privacy and security policies
should be bolstered by innovative technological solutions that can
enhance our ability to protect data. This includes requiring that
electronic record systems adopt adequate security protections (like
encryption; audit trails; access controls); but it also extends to
decisions about infrastructure and how health information exchange will
occur. For example, when health information exchange is decentralized
(or ``federated''), data remains at the source (where there is a
trusted relationship with a provider) and then shared with others for
appropriate purposes. These distributed models show promise not just
for exchange of information to support direct patient care but also for
discovering what works at a population level to support health
improvement. We will achieve our goals much more effectively and with
the trust of the public if we invest in models that build on the
systems we have in place today without the need to create new large
centralized databases that expose data to greater risk of misuse or
inappropriate access.
We are in a much better place today in building that critical
foundation of trust than we were two years ago. The privacy provisions
enacted in the stimulus legislation--commonly referred to as HITECH or
ARRA--are an important first step to addressing the gaps in privacy
protection. However, more work is needed to assure effective
implementation and address issues not covered by (or inadequately
covered by) the changes in ARRA.
In my testimony below, I call for:
Establishing baseline privacy and security legal
protections for personal health records (PHRs);
Ensuring appropriate limits on downstream uses of
health information;
Strengthening protections against re-identification
of HIPAA de-identified data;
Encouraging the use of less identifiable data through
the HIPAA minimum necessary standard;
Tightening restrictions on use of personal health
information for marketing purposes;
Strengthening accountability for implementing privacy
and security protections; and
Strengthening accountability for implementing strong
security safeguards.
Health IT: Key Privacy and Security Concerns
Establish Baseline Protections for PHRs
To keep pace with changes in technology and business models,
additional legal protections are needed to reach new actors in the e-
health environment and address the increased migration of personal
health information out of the traditional medical system. Personal
health records (PHRs) and other similar consumer access services and
tools now being created by Internet companies such as Google and
Microsoft, as well as by employers, are not covered by the HIPAA
regulations unless they are being offered to consumers by covered
entities.\4\ In the absence of regulation, consumer privacy is
protected only by the PHR offeror's privacy and security policies (and
potentially under certain state laws that apply to uses and disclosures
of certain types of health information). If these policies are
violated, the FTC may bring an action against a company for failure to
abide by its privacy policies. The policies of PHR vendors range from
very good to seriously deficient.\5\
---------------------------------------------------------------------------
\4\ HIPAA applies only to covered entities--providers, health
plans, and health care clearinghouses. Section 1172 of the Social
Security Act; 45 CFR 164.104. As explained in more detail below, ARRA
extended the reach of some of HIPAA's regulations to business
associates, which receive health information from covered entities in
order to perform functions or services on their behalf.
\5\ The HHS Office of the National Coordinator commissioned a study
in early 2007 of the policies of over 30 PHR vendors and found that
none covered all of the typical criteria found in privacy policy. For
example, only two policies described what would happen to the data if
the vendor were sold or went out of business, and only one had a policy
with respect to accounts closed down by the consumer.
---------------------------------------------------------------------------
The absence of any clear limits on how these entities can access,
use and disclose information is alarming--and has motivated some to
suggest extending HIPAA to cover PHRs. However, CDT cautions against
applying a one-size-fits-all approach. The HIPAA regulations set the
parameters for use of information by traditional health care entities
and therefore permit access to and disclosure of personal health
information without patient consent in a wide range of circumstances.
As a result, it would not provide adequate protection for PHRs, where
consumers should be in more control of their records, and may do more
harm than good. Further, it may not be appropriate for the Department
of Health and Human Services (HHS), which has no experience regulating
entities outside of the health care arena, to take the lead in
enforcing consumer rights and protections with respect to PHRs.
CDT applauds Congress for not extending HIPAA to cover all PHRs.\6\
Instead, Congress directed HHS to work with the Federal Trade
Commission (FTC) to come up with recommendations for privacy and
security protections for PHRs. This PHR ``study'' was due February 2010
but has not yet been released.
---------------------------------------------------------------------------
\6\ Under ARRA, PHRs that are offered to the public on behalf of
covered entities like health plans or hospitals would be covered as
business associates. Section 13408.
---------------------------------------------------------------------------
The agencies need not start from scratch in developing their
recommendations. In June 2008, the Markle Foundation released the
Common Framework for Networked Personal Health Information outlining a
uniform and comprehensive set of meaningful privacy and security
policies for PHRs. This framework was developed and supported by a
diverse and broad group of more than 55 organizations, including
technology companies, consumer organizations (including CDT) and
entities covered by HIPAA.\7\ In addition, CDT in 2010 issued a report
with further guidance to regulators on how the provisions of the Markle
Common Framework could be implemented in law.\8\ Establishing these
protections will likely require Congress to extend additional authority
to HHS and/or the FTC.
---------------------------------------------------------------------------
\7\ See http://connectingforhealth.org/phti/#guide. A list of
endorsers can be found at http://www.connectingforhealth.org/resources/
CCEndorser.pdf.
\8\ ``Building a Strong Privacy and Security Framework for PHRs,''
http://www.cdt.org/paper/building-strong-privacy-and-security-policy-
framework-personal-health-records (July 2010).
Ensure Appropriate Limits on Downstream Uses of Data
As noted above, HIPAA applies only to ``covered entities.''
However, under the HIPAA Privacy Rule, entities that contract with
HIPAA covered entities to perform particular services or functions on
their behalf using protected, identifiable health information (or PHI)
are required to enter into ``business associate'' agreements.\9\ Such
agreements may not authorize the business associate to access, use or
disclose information for activities that the covered entity itself
could not do under HIPAA.\10\ The agreements also are required to
establish both the permitted and required uses and disclosures of
health information by the business associate \11\ and specify that the
business associate ``will not use or further disclose the information
other than as permitted or required by the contract or as required by
law.'' \12\
---------------------------------------------------------------------------
\9\ 45 CFR 164.502(e)(1) & (2).
\10\ 45 CFR 164.504(e)(2)(i).
\11\ Id.
\12\ 45 CFR 164.504(e)(2)(ii)(A)
---------------------------------------------------------------------------
This combination of provisions demonstrates that HHS intended to
place limits on what a business associate can do with health
information received from a covered entity. However, one large national
business associate has been accused of using data they receive from
covered entities to support other business objectives,\13\ and some
privacy advocates have long suspected that such practices are more
widespread.
---------------------------------------------------------------------------
\13\ See http://www.alarmedaboutcvscaremark.org/fileadmin/files/
pdf/an-alarming-merger.
pdf, pages 14-16.
---------------------------------------------------------------------------
In ARRA Congress took a significant step toward strengthening
accountability for business associates by making them directly
accountable to federal and state regulators for failure to comply with
HIPAA or the provisions of their business associate agreements.\14\ HHS
recently issued a proposed rule making it clear that accountability
also extends to subcontractors of business associates, taking positive
steps toward maintaining a consistent level of accountability for
privacy and security protections as personal health data moves
downstream.\15\ CDT strongly applauds these actions.
---------------------------------------------------------------------------
\14\ ARRA, section 13404.
\15\ 75 Fed. Reg. 40867-40924, at 40885 (July 14, 2010).
---------------------------------------------------------------------------
However, CDT remains concerned that the HIPAA Privacy Rule is not
sufficiently clear with respect to the important role of business
associate agreements in placing clear limits on how business associates
and their subcontractors can use and disclose patient data received
from covered entities. The reports of business associates using health
information to develop additional lines of business not directly
related to the services they have been asked to perform by their
covered entity business partners are either: (1) an indication that
HIPAA is not being adequately enforced or (2) evidence that some
business associate agreements are too permissive with respect to
additional uses of information. In this testimony below CDT calls for
stronger enforcement of HIPAA. Further, in comments to HHS CDT has
urged revising the Privacy Rule to require business associate
agreements to expressly limit the business associate's access, use and
disclosure of data to only what is reasonably necessary to perform the
contracted services.\16\ Failure to appropriately account for and
control downstream uses of data will jeopardize building trust in
health IT.
---------------------------------------------------------------------------
\16\ http://www.cdt.org/comments/cdt-comments-hhs-proposed-rule
(hereinafter, CDT Comments).
Strengthen Protections Against Re-identification of HIPAA De-Identified
Data
HIPAA's protections do not extend to health information that
qualifies as ``de-identified'' under the Privacy Rule. As a result,
covered entities may provide de-identified data to third parties for
uses such as research and business intelligence without regard to HIPAA
requirements regarding access, use and disclosure. In turn, these
entities may use this data as they wish, subject only to the terms of
any applicable contractual provisions (or state laws that might apply).
If a third party then re-identifies this data--for example, by using
information in its possession or available in a public database--the
re-identified personal health information would not be subject to
HIPAA.\17\ It could be used for any purpose unless the entity holding
the re-identified data was a covered entity (or had voluntarily
committed to restrictions on use of the data).
---------------------------------------------------------------------------
\17\ If a covered entity has a reasonable basis for knowing that
the recipient of ``de-identified'' data will be able to re-identify it,
the data does not qualify as de-identified. See 45 C.F.R.
164.514(b)(2)(ii).
---------------------------------------------------------------------------
There is value to making data that has a very low risk of re-
identification available for a broad range of purposes, as long as the
standards for de-identification are rigorous, and there are sufficient
prohibitions against re-identification. Neither condition is present
today. A number of researchers have documented how easy it is to re-
identify some data that qualifies as de-identified under HIPAA.\18\
---------------------------------------------------------------------------
\18\ See, for example, Salvador Ocha, Jamie Rasmussen, Christine
Robson, and Michael Salib, Re-identification of Individuals in
Chicago's Homicide Database, A Technical and Legal Study (November
2008), http://web.mit.edu/sem083/www/assignments/reidentification.html
(accessed November 20, 2008).
---------------------------------------------------------------------------
Congress recognized this, and ARRA requires HHS to do a study of
the HIPAA de-identification standard; that study, due in February 2010,
is delayed. CDT has urged HHS to revisit the current de-identification
standard in the Privacy Rule (in particular, the so-called ``safe
harbor'' that deems data to be de-identified if it is stripped of
particular data points) to ensure that it continues to present de
minimis risk of re-identification.\19\ However, Congress need not wait
for the issuance of the study. To ensure consumers are protected,
Congress should enact provisions to ensure data recipients can be held
accountable for re-identifying data.
---------------------------------------------------------------------------
\19\ See http://www.cdt.org/healthprivacy/
20090625-deidentify.pdf for a more comprehensive discussion
of CDT's views on the HIPAA de-identification standard.
Encourage Use of Less Identifiable Data
Although the HIPAA provisions for de-identifying data need to be
revisited and strengthened, CDT also believes that privacy risks are
lessened when data has been anonymized to the greatest extent possible.
In particular, many non-treatment uses of health data--including
quality, research and public health--can be effectively done with data
where sufficient patient identifiers have been removed to make it
anonymous to the recipient. Unfortunately, federal and state privacy
laws do not sufficiently promote the use of less identifiable data.
Instead, they permit (in the case of HIPAA) or require (in the case of
many state reporting laws) the use of fully identifiable data
(including patient names, addresses, phone numbers, etc.), providing
little incentive to remove identifiers from data before its use.
Under the collection and use limitations of fair information
practices, data holders and recipients must collect, use and disclose
only the minimum amount of information necessary to fulfill the
intended purpose of obtaining or disclosing the data. The HIPAA Privacy
Rule incorporates these principles in the ``minimum necessary''
standard, which requires covered entities to use only the minimum
necessary amount of data for most uses and disclosures other than
treatment. This standard is intended to be flexible, but HHS has not
issued any meaningful guidance on this standard. As a result, covered
entities and their business associates frequently express concerns
about how to implement it, and CDT suspects that few covered entities
or business associates take affirmative steps to minimize the
identifiability of data.
The Privacy Rule does provide for two anonymized data options--de-
identification (as discussed above) and the limited data set, which can
be used for research, public health and health care operations). These
data sets provide greater privacy protection for individuals, but are
not useful for all purposes due to the number of identifiers that must
be removed before the data can qualify for either option.
ARRA attempts to strengthen the Privacy Rule's collection and use
limitations by strongly encouraging covered entities to use a limited
data set to comply with the minimum necessary standard, as long as
limited data is sufficient to serve the purposes for the data access or
disclosure.\20\ This section of ARRA also requires the HHS Secretary to
issue guidance on how to comply with the minimum necessary standard. In
comments to HHS, CDT has asked HHS to be clear in its guidance that
covered entities must address the identifiability of data in order to
be in compliance with the minimum necessary standard.\21\
---------------------------------------------------------------------------
\20\ ARRA, Section 13405.
\21\ See CDT Comments, supra note 16.
Tighten Rules Regarding Use of Patient Data for Marketing
The use of sensitive medical information for marketing purposes is
one of the most controversial practices affecting health privacy. In
health privacy surveys, use of data for marketing ranks as a top
concern among respondents.\22\ Consequently, protections against the
unauthorized use of personal health information for marketing purposes
are critical to building trust in new e-health systems.
---------------------------------------------------------------------------
\22\ In the 2006 Markle Foundation survey referenced in footnote 1,
89% of respondents said they were concerned about marketing firms
getting access to their personal health information online, and 77%
described themselves as ``very concerned.'' http://www.markle.org/
downloadable-assets/
research-doc-120706.pdf.
---------------------------------------------------------------------------
The HIPAA Privacy Rule has provisions intended to limit the use of
health data in marketing, but it historically was subject to a number
of exceptions. There also has been little regulatory or legislative
investigation of health marketing practices.
In ARRA, Congress took some steps to tighten the definition of
``marketing'' in the Privacy Rule. Under the new provisions,
communications that are paid for or ``subsidized'' by third parties are
marketing, and therefore require prior patient authorization--even if
those communications would otherwise not be construed as marketing
because they qualify for one of the existing exceptions. But even this
new provision includes exceptions that could swallow the rule. For
example, HHS has initially interpreted subsidized treatment
communications to be outside the new ARRA rules requiring prior patient
authorization. As a result, a covered entity can use a patient's data
without consent to send her a letter urging her to switch to a
different brand medication, even if that communication was paid for by
the manufacturer of the medication.\23\ Patients will experience these
communications as marketing and mistrust any system that allowed this
to happen without their authorization.
---------------------------------------------------------------------------
\23\ HHS did give patients the right to opt-out of receiving
subsidized treatment communications, but an opt-out is not as
protective of patient privacy as requiring prior consent.
Strengthen Accountability/Enforcement
When Congress enacted HIPAA in 1996, it included civil and criminal
penalties for noncompliance, but those rules have never been adequately
enforced.\24\ The Office for Civil Rights (OCR) within HHS, charged
with enforcing the HIPAA privacy regulations, had not levied a single
penalty against a HIPAA-covered entity in the nearly five years since
the rules were implemented, even though that office found numerous
violations of the rules.\25\ The Justice Department had levied some
penalties under the criminal provisions of the statute, but a 2005
opinion from DOJ's Office of Legal Counsel (OLC) expressly limited the
application of the criminal provisions to covered entities, forcing
prosecutors to turn to other laws in order to criminally prosecute
certain employees of covered entities who have criminally accessed,
used or disclosed a patient's protected health information.\26\
---------------------------------------------------------------------------
\24\ ``Effectiveness of medical privacy law is questioned,''
Richard Alonso-Zaldivar, Los Angeles Times (April 9, 2008), http://
www.latimes.com/business/la-na-privacy9aor09.0.5722394.story.
\25\ Id. Although this story is two years old, to the best of our
knowledge no civil monetary penalties have been assessed since that
time. Over the last couple of years HHS has extracted monetary
settlements (most recently from large chain pharmacies) for what were
largely violations of the HIPAA Security Rule. In materials connected
with these settlements, HHS made it clear that the amounts being paid
in settlement of the alleged violations were not civil monetary
penalties.
\26\ See http://www.americanprogress.org/issues/2005/06/
b743281.html for more information on the OLC memo and the consequences.
---------------------------------------------------------------------------
A lax enforcement environment sends a message to entities that
access, use and disclose protected health information that they need
not devote significant resources to compliance with the rules. Without
strong enforcement, even the strongest privacy and security protections
are but an empty promise for consumers. Further, HIPAA has never
included a private right of action, leaving individuals dependent on
government authorities to vindicate their rights.
In ARRA, Congress took a number of important steps to strengthen
HIPAA enforcement: \27\
---------------------------------------------------------------------------
\27\ See Sections 13409-13411 of ARRA.
State attorneys general are now expressly authorized
to bring civil enforcement actions under HIPAA, which puts more
---------------------------------------------------------------------------
hands on the enforcement deck.
As mentioned above, business associates are now
directly responsible for complying with key HIPAA privacy and
security provisions and can be held directly accountable for
any failure to comply.
Civil penalties for HIPAA violations have been
significantly increased. Under ARRA, fines of up to $50,000 per
violation (with a maximum of $1.5 million annually for repeated
violations of the same requirement) can now be imposed.\28\
---------------------------------------------------------------------------
\28\ Of note, the increased penalties went into effect on the day
of enactment--February 17, 2009. State Attorneys General are Limited to
the previous statutory limits--$100 per violation, with a $25,000
annual maximum for repeat violations.
HHS is required to impose civil monetary penalties in
circumstances where the HIPAA violation constitutes willful
---------------------------------------------------------------------------
neglect of the law.
The U.S. Department of Justice can now prosecute
individuals for violations of HIPAA's criminal provisions.
The HHS Secretary is required to conduct periodic
audits for compliance with the HIPAA Privacy and Security
Rules. (The HIPAA regulations provide the Secretary with audit
authority, but this authority has rarely if ever been used.)
The ARRA provisions are a major advancement in enforcement of
federal health privacy laws, but enforcement is still lax. To
strengthen accountability and further build public trust in health IT,
CDT has two recommendations: (1) deem providers who are found to be in
significant violation (either criminally responsible or found to be in
willful neglect of the law) ineligible to receive subsidies under the
federal health IT incentive program, and (2) provide individuals with a
limited private right of action to enforce their HIPAA privacy rights.
With respect to the former (declaring a significant HIPAA violation
to be a disqualification for health IT subsidies), it is hard to
justify providing tax dollars as a reward for meaningful use of health
IT to an entity in significant violation of our nation's privacy laws.
With respect to a private right of action for privacy and security
violations, CDT recognizes that providing such a right for every HIPAA
complaint--no matter how trivial--would be inappropriate and
disruptive. However, Congress should give consumers some right to
privately pursue recourse in specific circumstances. For example,
policymakers could create compliance safe harbors that would relieve
covered entities and their business associates of liability for
violations if they meet the privacy and security standards but would
allow individuals to sue if they could prove the standards had not been
met. Another suggestion is to limit the private right of action to only
the most egregious HIPAA offenses, such as those involving intentional
violations or willful neglect.
Strengthen Accountability for Strong Security Safeguards
According to a recent survey of large health care organizations
conducted by the Health Information Management Systems Society (HIMSS):
Fewer than half (47%) conduct annual risk assessments
(which are required under the HIPAA Security Rule),
58% have no security personnel, and
50% reported spending 3% or less of organizational
resources on security.\29\
---------------------------------------------------------------------------
\29\ See testimony of Lisa Gallagher, Senior Director of Privacy &
Security, HIMSS, http://healthit.hhs.gov/portal/
server.pt?open=512&objID=1817&parentname=CommunityPage
&parentid=28&mode=2&in-hi-userid=11673&cached=true
(November 19, 2009).
The prospect of storing and moving personal health data
electronically in an environment where security is a low institutional
priority should give us all pause. We need--through certified
electronic health record requirements and enhancements to the HIPAA
Security Rule--stronger requirements with respect to data security, as
well as more proactive education and guidance from regulators. Under
the meaningful use incentive program, the certification requirements
include a number of important security functionalities, including the
ability to encrypt data in motion and at rest, the ability to generate
an audit trail, and authentication and access controls.\30\ However,
there is no clear requirement, either in the meaningful use criteria or
in the HIPAA Security Rule, to actually implement and routinely use
these functionalities. Providers are required under meaningful use to
perform a security risk assessment and respond to any deficiencies
discovered, but this falls short of a clear requirement to implement or
have a plan for implementing the functionalities required for EHR
certification. CDT is continuing to advocate with regulators for
strengthened security requirements. Providers with fewer resources
(such as small physician practices) may need to have security
requirements scaled up over time; policymakers should, however,
consider imposing greater obligations on the connecting infrastructure
to better address gaps or potential weak links as these systems
develop.
---------------------------------------------------------------------------
\30\ http://edocket.access.gpo.gov/2010/pdf/2010-17210.pdf.
Promote a Measured Role for Government in Health IT Standards
Although most of this testimony concerns health IT privacy and
security, CDT would like to take this opportunity to reference a set of
collaborative comments drafted by the Markle Foundation and endorsed by
a broad range of stakeholders, including CDT. The comments concern the
role of standards in health IT and urge a limited role for government
in certifying health IT.\31\ CDT asks that these comments also be
included in the Subcommittee hearing record.
---------------------------------------------------------------------------
\31\ http://www.markle.org/downloadable-assets/
20090430-meaningful-use.pdf (see in particular,
section 4) and http://www.markle.org/downloadable-assets/
20100510-collabcmts.pdf.
Conclusion
To establish greater public trust in HIT and health information
exchange systems, and thereby facilitate adoption of these new
technologies, a comprehensive privacy and security framework must be in
place. From traditional health entities to new developers of consumer-
oriented health IT products to policymakers, all have an important role
to play in ensuring a comprehensive privacy and security framework for
the e-health environment. Thank you for the opportunity to present this
testimony, and I would be pleased to answer any questions you may have.
Biography for Deven McGraw
Deven McGraw is the Director of the Health Privacy Project at CDT.
The Project is focused on developing and promoting workable privacy and
security protections for electronic personal health information.
Ms. McGraw is active in efforts to advance the adoption and
implementation of health information technology and electronic health
information exchange to improve health care. She was one of three
persons appointed by Kathleen Sebelius, the Secretary of the U.S.
Department of Health & Human Services (HHS), to serve on the Health
Information Technology (HIT) Policy Committee, a federal advisory
committee established in the American Recovery and Reinvestment Act of
2009. She co-chairs the Committee's Privacy and Security ``Tiger Team''
and serves as a member of its Meaningful Use, Information Exchange, and
Strategic Plan Workgroups. She also served on two key workgroups of the
American Health Information Community (AHIC), the federal advisory body
established by HHS in the Bush Administration to develop
recommendations on how to facilitate use of health information
technology to improve health. Specifically, she co-chaired the
Confidentiality, Privacy and Security Workgroup and was a member of the
Personalized Health Care Workgroup. She also served on the Policy
Steering Committee of the eHealth Initiative and now serves on its
Leadership Council. She is also on the Steering Group of the Markle
Foundation's Connecting for Health multi-stakeholder initiative.
Ms. McGraw has a strong background in health care policy. Prior to
joining CDT, Ms. McGraw was the Chief Operating Officer of the National
Partnership for Women & Families, providing strategic direction and
oversight for all of the organization's core program areas, including
the promotion of initiatives to improve health care quality. Ms. McGraw
also was an associate in the public policy group at Patton Boggs, LLP
and in the health care group at Ropes & Gray. She also served as Deputy
Legal Counsel to the Governor of Massachusetts and taught in the
Federal Legislation Clinic at the Georgetown University Law Center.
Ms. McGraw graduated magna cum laude from the University of
Maryland. She earned her J.D., magna cum laude, and her L.L.M. from
Georgetown University Law Center and was Executive Editor of the
Georgetown Law Journal. She also has a Master of Public Health from
Johns Hopkins School of Hygiene and Public Health.
Chairman Wu. Thank you very much, Ms. McGraw.
Ms. Bass, please proceed.
STATEMENT OF DEB BASS, PRESIDENT AND CEO, BASS & ASSOCIATES
INC.
Ms. Bass. Thank you. Chairman Wu, Ranking Member Smith,
Committee Members, staff and guests, thank you for the
opportunity to present on this very important topic. I am
honored to be amongst such esteemed members of the health care
community, my fellow testifiers, all who are contributing so
much to the advancement of health care reform.
In preparing for this testimony, I spent considerable time
reflecting on our experiences in Nebraska. There is a great
deal of expert dialog on the topic. Certainly, hearings like
this provide additional subject matter expertise that will
surely benefit the ongoing development of standards for
interoperability and information security and health care
reform in general. It is clear that this Committee has
significant data and information at its disposal to continue
its pursuit to develop solid and workable standards.
I would like to focus my testimony on principles Nebraska
has implemented in this arena and respectfully share with you
the lessons that we have learned as we directly apply the
success of those efforts for those at the Office of the
National Coordinator who are developing these critical
standards.
There are three areas that have contributed tremendously to
Nebraska's success in implementing the federal health care
initiatives of achieving Meaningful Use: One, extensive and
persistent stakeholder engagement; two, physician engagement;
three, sharing the knowledge among the States.
As President and CEO of Bass and Associates and Executive
Director of NeHII, the Nebraska Health Information Initiative,
I have worked closely with the NeHII team and project members
to ensure we engaged key stakeholders across our state. We
knocked on doors, developed educational materials, and launched
community-based consumer education campaigns. We spoke in
cities and across rural Nebraska--rotary clubs, state
associations and chamber of commerce meetings. In short, no
stone was left unturned in our efforts to engage citizens
across the state. The Office of the National Coordinator has
done an excellent job of reaching out to the stakeholders
including our own opportunity to host Dr. Blumenthal on his
recent visit to Nebraska. Dr. Blumenthal took time from his
busy schedule to tour the NeHII-enabled facilities and witness
the successful health information exchange up close. I am
certain his travels are extensive and require a great deal of
effort but the benefits of these stakeholder visits across the
country are immeasurable.
As the ONC develops its next set of standards, I strongly
urge them to continue to avail themselves of stakeholder
conferences, meetings and other opportunities to demonstrate
their continued support of these standards, and I express
appreciation for the efforts states make to understand,
implement and adhere to these guidelines. The stakeholder
engagement is especially important as standards are being
examined and released, and particularly those supporting the
ONC's efforts to develop technical standards to address
interoperability demands. At its March 24, 2010, HIT Standards
Committee hearing, ONC identified the need to support a broader
set of stakeholders and providers in information exchange. This
I believe was another critical step in the right direction to
encourage stakeholders. We have included our circle for
pharmacists, dentists, chiropractors and school nurses.
NeHII was implemented using the most current available
standards and we remain committed to conforming to standards as
they are developed. We will make every effort to pursue the
conversations and affirmations from NeHII participants in
setting those standards to guarantee the ability of HIEs to
operate with the least amount of impact to daily operations.
Recently, I met with a state that, while it possessed all
the components to successfully build an HIE, is struggling with
the critical issue of physician adoption of their HIE. Our
conversations around solutions to reverse this trend revealed
how difficult it is to move forward on interoperability of
electronic records without fully engaged physicians. At NeHII,
we are fortunate to have Dr. Harris Frankel, a respected Omaha
practicing board-certified physician, who serves as the NeHII
visionary. In this capacity, he is able to reach deep within
the physician community as a respected leader and as one of
their own. I cannot tell you the number of times Dr. Frankel's
reach within the physician community allowed us access to
respected physicians who became champions of NeHII and
therefore supported interoperability across the health care
spectrum. Dr. Blumenthal is a practicing physician and enjoys
this esteem as well. His continued contact with the physician
community toward adhering to standards and interoperability of
electronic records will be the cornerstone to engaging this
critical constituency and ultimately one of the key success
factors of health care reform.
Finally, I believe the Office of the National Coordinator
should continue to be a dedicated resource for current
information in offering a collection of lessons learned and
best practices for states to rely upon. A national repository
of best practices from all states would be a helpful guide in
that direction. We at NeHII have offered, and to date 16 states
have accepted, our privacy and security policies for states to
utilize and as an example for drafting their own policies.
Sharing this information has engendered goodwill, trust, and a
shared commitment. I urge the ONC to facilitate the sharing of
knowledge among states throughout the reform effort. The ONC's
Support Grant Opportunity administered through RTI [Research
Triangle Institute] is an excellent example of encouraging
states to cooperatively identify barriers and share knowledge
in overcoming them.
Chairman Wu, Ranking Member Smith, and Members of the
Committee, thank you for the opportunity to testify today. Your
commitment to reach out to those who shoulder the largest part
of health care reform effort is much appreciated and will go a
long ways toward its continued success. I look forward to
answering your questions. Thank you.
[The prepared statement of Ms. Bass follows:]
Prepared Statement of Deborah Bass
Chairman Wu, Ranking Member Smith, Committee Members, Staff and
Guests:
Thank you for the opportunity to present on this important topic. I
am honored to be among such esteemed members of the health care
community, my fellow testifiers, all who are contributing so much to
the advancement of health care reform.
In preparing for this testimony, I spent considerable time
reflecting on our experiences in Nebraska. There is a great deal of
expert dialogue on this topic in the industry. Certainly, hearings like
this provide additional subject matter expertise that will surely
benefit the ongoing development of standards for interoperability and
Information security, and health care reform in general. It is clear
this committee has significant data and information at its disposal to
continue its pursuit to develop solid and workable standards.
I would like to focus my testimony on principles Nebraska has
implemented in this arena and respectfully share with you lessons
learned I believe directly apply to the success of the efforts for
those at the Office of the National Coordinator who are developing
these critical standards.
There are three areas that have contributed tremendously to
Nebraska's success in implementing the federal health care initiatives
of achieving meaningful use:
Extensive and persistent stakeholder engagement
Physician Engagement and,
Sharing knowledge among States
As President and CEO of Bass & Associates, and Executive Director
of NeHII, the Nebraska Health Information Initiative, I worked closely
with our NeHII team and project members to ensure we engaged key
stakeholders across the State. We knocked on doors, developed
educational materials and launched community-based consumer education
campaigns. We spoke in the cities and across rural Nebraska at Rotary
Clubs, State Associations and Chamber of Commerce meetings. In short,
no stone was left unturned in our efforts to engage citizens across our
State. The Office of the National Coordinator has done an excellent job
of reaching out to stakeholders, including our own opportunity to host
Dr. Blumenthal on his recent visit to Nebraska. Dr. Blumenthal took
time out of his busy schedule to tour NeHII-enabled facilities and
witness our successful health information exchange up close. I am
certain his travels are extensive and require a great deal of effort,
but the benefits of these stakeholder visits across the country are
immeasurable.
As the ONC develops its next set of standards, I strongly urge them
to continue to avail themselves of stakeholder conferences, meetings,
and other opportunities to demonstrate their continued support of these
standards, and express appreciation for the effort States make to
understand, implement and adhere to their guidelines across the
country. This stakeholder engagement is especially important as
standards are being examined and released, in particular those
supporting the ONC's efforts to develop technical standards to address
interoperability demands. At its March 24, 2010 HIT Standards Committee
hearing, ONC identified the need to support a broader set of
stakeholders and providers in information exchange. This, I believe,
was another critical step in the right direction to encourage
stakeholders to embrace the new standards.
NeHII was implemented using the most current available standards,
and we remain committed to conforming to new standards as they are
developed. We will make every effort to pursue the conversations and
affirmations from NeHII participants in setting those standards to
guarantee the ability of HIEs to operate with the least amount of
impact to daily operations.
Recently, I met with a State that, while it possessed all of the
components to successfully build an HIE, is struggling with the
critical issue of physician adoption of that same HIE. Our
conversations around solutions to reverse this trend revealed how
difficult it is to move forward on interoperability of electronic
records without fully engaged physicians. At NeHII, we are fortunate to
have Dr. Harris Frankel, a respected Omaha practicing, board-certified
physician, who serves as the NeHII visionary. In this capacity, he is
able to reach deep within the physician community as a respected leader
and as one of their own. I cannot tell you the number of times Dr.
Frankel's reach within the physician community, and not a little of his
Midwestern charm, allowed us access to respected physicians who became
champions of NeHII and therefore supported interoperability across the
healthcare spectrum. Dr. Blumenthal, as a practicing physician, enjoys
this esteem as well. His continued contact with the physician community
toward adhering to standards in interoperability of electronic records
will be the cornerstone to engaging this critical constituency and,
ultimately, one of the key success factors of health care reform.
Finally, I believe the Office of the National Coordinator should
continue to be a dedicated resource for current information in offering
a collection of lessons learned and best practices for States to rely
upon. A national repository of best practices from all States would be
a helpful guide in that direction. We at NeHII have offered, and to
date 16 States have accepted, our Privacy and Security policies for
States to utilize as an example for drafting their own policies.
Sharing this information has engendered good will, trust and a shared
commitment. I urge the ONC to facilitate the sharing of knowledge among
States throughout the reform effort. The ONC's Support Grant
Opportunity, administered through RTI, is an excellent example of
encouraging States to cooperatively identify barriers and share
knowledge in overcoming them.
Chairman Wu, Ranking Member Smith and members of the Committee,
thank you for the opportunity to testify today. Your commitment to
reach out to those who shoulder the largest part of the health care
reform effort is much appreciated and will go a long way toward its
continued success. Thank you.
Biography for Deborah Bass
Ms. Deborah Bass is the Executive Director and active board member
for the Nebraska Health Information Initiative (NeHII). NeHII is the
statewide health information exchange in the State of Nebraska. Ms.
Bass directed the creation of this 501 (c) (3) non-profit corporation
and currently oversees and manages the continued efforts in the
development of Nebraska's statewide Health Information Exchange (HIE).
Her duties have included creating and developing stakeholder
relationships, building consensus and support for the organization,
communications and implementing Board of Directors recommendations,
managing vendor relationships, recruiting and building the management
team, developing and implementing the consumer educational campaigns,
leading the committee effort to develop the privacy, security and
operational policies, writing the business plan, planning and leading
the organization's public events and a multitude of other activities
associated with implementing HIE. She is a regular public speaker for
national conferences on a number of topics surrounding the development
and future of HIE.
Chairman Wu. Thank you, Ms. Bass.
And now it is in order for questions, and the Chair
recognizes himself for five minutes.
Dr. Blumenthal, in Dr. Gibson's testimony, he notes that
there aren't enough IT implementation professionals to help
with the implementation of health IT systems. Can you tell us
what the Office of the National Coordinator has done to provide
assistance to educational institutions to expand the health IT
workforce? And Dr. Gibson, can you tell us what other
assistance may be helpful to educational institutions to help
with workforce needs. Dr. Blumenthal?
Dr. Blumenthal. Thank you, Mr. Chair. We agree with Dr.
Gibson, and in fact, the HITECH legislation very wisely
encouraged us to support the training of health IT
professionals. We have provided funding to 84 community
colleges around the country to train a group of IT
professionals who will be certified as competent to assist with
the installation and maintenance of information technology but
also to help professionals and hospitals with redesigning their
work flow to take advantage of those new technologies.
We also have a series of curriculum development grants, one
of which has gone to the Oregon Health Science University, to
develop the curricula for these community college programs and
we have developed a certification exam through a contract, a
grant, actually, with another university to be able to certify
these professionals. We expect to train in excess of 40,000 new
health information technology professionals. The first class
has enrolled in community colleges as of this fall so they will
be graduating in the winter and in the spring of this year. So
that will be in time for Meaningful Use Stage 1. It would be
nice if they had been trained before the HITECH Act was passed
but we are trying to live within the realities that we face.
Chairman Wu. Thank you very much.
Dr. Gibson.
Dr. Gibson. I think that the training that has been
prescribed is excellent and I think it will help a great deal
and I believe in that. Oregon is a proud leader in training
many of those people at the community college level. I think
practices will find it helpful, and it should address some of
the need. I am concerned just with the many hundreds of
thousands of eligible providers that the timeline might be a
bit longer than we expect but I think we are all going in the
right direction right now on that.
Chairman Wu. Terrific. Thank you very much.
Last week the Office of the National Coordinator released a
framework that will coordinate future work on interoperability
and standards. How will the framework identify priorities and
allow for stakeholder input and interface with the Health IT
Standards Committee?
Dr. Blumenthal. The framework is a means to an end, Mr.
Chairman. Actually our priorities for developing standards are
identified by the Meaningful Use framework, by the requirements
for Meaningful Use that health professionals and providers
across the country have to meet. We go backward, we work
backward from the Meaningful Use requirements to identifying
the standards, the capabilities that electronic health systems
have to have, and that actually gives us guidance which the
Health IT Standards Committee then works on to recommend
standards. So it is really an ends-driven process. We focus on
outcomes, the health of patients and what the record has to do
in order to improve the health of patients, and that gives us
guidance as to standards.
The framework that you referred to is a method of producing
those standards, so once we know which standards we need, we
then go to the framework and say what is the process for
standards development. That process needs to be inclusive. It
needs to be inclusive of other federal agencies like NIST. It
needs to be inclusive of stakeholders. It needs to be inclusive
of standards development organizations, the profession and all
the many voices that are interested in our standards work. But
ultimately it is not a standards-driven process, it is a health
care-driven process, and we are trying to put in place the
requirements for records to make them tools to improve the
health and safety of the population.
Chairman Wu. Thank you.
And Ms. Roberts, you mention in your testimony that NIST is
working with Health and Human Services' Office of Civil Rights
to develop baseline security configuration checklists as well
as conducting outreach and awareness about security challenges
for health IT. Can you focus down on the specific challenges
for smaller practices in implementing these security
regulations?
Ms. Roberts. Yes. One of the things, the very first thing
that a small practice needs to do is a risk assessment to
determine what the risk is in the environment that they are in
and then based on their risk assessment they can choose which
security controls they would need to put in place in order to
meet the security requirements spelled out in the security
rule. So it is sort of graduated. If the risk is fairly low,
then they don't have as many controls they need to put in place
but larger practices have more risk and they will have to put
more in place.
Chairman Wu. Thank you very much.
Mr. Smith, five minutes.
Mr. Smith. Thank you, Mr. Chairman.
I am wondering if any of our witnesses could comment on how
perhaps consumers could be empowered through health IT. And I
understand we want to maintain privacy but I think that
consumers, if they become patients, would be empowered and I
think more effective in managing their own health care, perhaps
assuming better health habits and so forth through health IT,
and if anyone would wish to talk about that.
Dr. Gibson. Yes, I would like to address that. I think that
electronic health records really will allow patients to be much
more involved in their health care than they are now because I
believe ultimately they will have access to the full
professional record, not a diminished record that has only part
of it. Ultimately they will have access to all their laboratory
results, diagnostic imaging reports, problem lists, medication
lists, allergy lists. They will be looking at the same data
that their providers look at, and with the use of the Internet
so that they can bone up on what the professional diagnoses
are, I think they will come to the table saying, you know, I
have read about this, I have concerns about how this treatment
might affect my lifestyle and that sort of thing. So we are
quite looking forward to having patients more on an equal
footing with their providers because of the spreading of
electronic data into the home.
Ms. McGraw. The law has always required providers to
provide patients with a copy of their health information if
they ask for it but Congress took some significant steps
forward in that regard to make sure that happens by being very
clear when a provider has an electronic health record, that
copy has to be electronic, and then with respect to the
Meaningful Use criteria, there are a number of provisions that
are required for Meaningful Use that involve sharing data with
patients, and not just when they ask, but giving them a
discharge summary, for example, and instructions and a summary
of their care, and I suspect that in stage 2 this will be
enhanced even more. And the other thing that Congress did was
to say not only can you get your electronic copy of your
record, but if you want your provider to send it to your
personal health record if you have opened up one of those
either because the provider gave it to you or your health plan
sponsors one or you signed up for one from an Internet company
like Microsoft or Google. So I completely agree with you and it
is absolutely privacy enhancing to give people copies of their
data. It helps to reduce errors because patients catch them.
Ms. Bass. I would like to comment on real-life examples
that we have seen in Omaha. We have had an operational HIE now
for over 18 months and throughout the State of Nebraska, not
just Omaha. Our opt-out rate--we are an opt-out platform. The
opt-out rate has been anywhere between one and a little over
three percent of the general population. I think Nebraska has
been viewed as somewhat of a conservative state, so I think
that speaks well to how well the consumer is anxious to have
this opportunity. Many times when we educate them about their
decision that they make at this point, at the point of care,
their comment is, so if I sign up for this, I am not going to
be handed the pencil and clipboard every time I see my
physician. I can say it is interesting how many times that
comment is made.
I also have had situations, and I think sometimes we think
it is a generational thing that the older generations are more
concerned versus the younger generation are very interested in
having this information. I have had elderly individuals that
come to the office, and my receptionist will call me and she
will say there is one of those individuals out there. They had
opted out of the system and then they educated themselves and
they were adamant to be back into the system and they asked me
how long will this take for you to do the processing, and we
have made it difficult. Once they have opted out, we make it
difficult for them to get back in. But they want to know how
long is it going to take for me to get back into the system now
that I understand what this is all about.
Mr. Smith. Okay. What about then connecting the care and
consumer, their own detection of perhaps what might be
necessary or even with the advice of their provider tying that
to the financing? I think that there is not--anecdotally, I
think that there is not enough access to the dollars associated
with the care over the phone. I mean, when you have providers
say well, we don't provide that over the phone. Is there any
way we can tie that in? I mean, I would think there would be
less concern about--but still we need to be sensitive to the
privacy issues but to involve consumers more in the financing
of their care, whether it is third-party payer or not.
Ms. Bass. I can go on to comment about some of these real-
life examples. One of the individuals that came to the office
that insisted to be opted back in as soon as possible had just
had to experience a second round of testing because he left one
health system and went to another health system, and he
received a bill for that, and he said so I understand if I sign
up for this, this is not going to happen any longer, and we
said yes. He got it. And I think there are many out there that
as we are having to pay for more and more of our health care
costs are becoming much more aware of what it costs and
duplicative tests and how to avoid them.
Mr. Smith. Okay.
Ms. Sensmeier. I would just like to speak to the standards
aspect of that. There are standards available from the HITSP
work products for consumer empowerment which would enable their
personal health record data to be exchanged with the electronic
health record, so work is there to support your concerns.
Mr. Smith. Okay. Thank you.
Chairman Wu. Thank you very much, Mr. Smith.
Dr. Gibson, you noted in your testimony that implementing
EHRs is somewhat stressful for physicians, particularly in
small practices, and that further, it is essential that we are
able to transfer patient information as easily as fax machines
accomplish that transfer today. What are the biggest challenges
in making this data transfer that easy for physicians,
particularly in small practices?
Dr. Gibson. The technology needs to be such that the
provider himself or herself or their staff can do it directly,
that they can do it without perhaps having a health information
exchange in their local or regional area, and that is the key
point. If an electronic health record for a small practice is
going to exchange with a health information exchange, that
electronic health record will still need to export those data,
and the point of my testimony is just let us make a requirement
that electronic health records can export and import those data
directly because most care occurs among providers who are known
to each other so if you are in John Day, Oregon, your family
doctor and perhaps a surgeon are likely to be in the same town.
They are going to be known to each other and to the patient and
so the need is for the office of the family doctor to be able
to send the records to the surgeon without requiring that the
State of Oregon provide a health information exchange. We will,
ultimately. So my comments address the shorter-term need of
saying let us require in the next round of standards that the
EHRs have to do it so you just put in the address of the
receiving provider and then it is done without requiring a
third party to intervene.
Chairman Wu. Thank you very much.
Ms. McGraw, there is a lot of personal data openly
available today and we deidentify some of that data. You
addressed the reidentification phenomenon and potentially the
need to impose some sanctions for reidentification. Can you
unpack that set of ideas a little bit for us? This is a hot
issue for us.
Ms. McGraw. Yeah. I rushed through it a bit. So we have a
standard in the HIPAA privacy rule for data deidentification
and there are two prongs to it. One is what is called a safe
harbor because it is fairly easy for people to implement. There
are 19 different common identifiers that you must strip out of
the data in order for it to qualify as deidentified, and it
doesn't mean that it goes down to zero risk of reidentification
but the risk is supposed to be very small. And then the other
mechanism, if you want to be able to leave some identifiers in
like dates of service, for example, which are often needed in
research but other identifiers are not. So you can use a
statistician and they can do their math magic to make it so
that it meets the same standard of having a very low risk of
reidentification. So that is already in the law.
The problem I think is, number one, the safe harbor was
created more than five years ago and now, as you mentioned,
Chairman Wu, there is a lot of other personal information
widely available on the Internet and with respect to
reidentification, the risks are about what the recipient might
have access to in order to connect the dots and put that data
set together in a way that makes it possible to reidentify
individuals. And so we tend in the law to treat deidentified
data as though it has reached some sort of holy grail moment of
posing no risk at all regardless of who gets it or what data
they have access to. So we need to rethink the standard. I
think that is what HHS is focusing on now at the direction of
Congress. But even if we tighten the standard as much as we
possibly could, to still make that data more widely available
as it has lots of important purposes both in health care as
well as in business analytics. If in fact that data goes to an
entity who then reidentifies it, puts two and two together, we
don't right now have a mechanism in the law to reach them to
say you weren't supposed to do this. Right now, you would hope
that entities when they release the data actually contractually
require the entities not to reidentify it, but even that if it
happens, because it is not required to happen, that is the
extent of accountability is only through that contract and
usually only the contracting parties, not law enforcement or
governmental authorities or even an individual under a private
right of action.
Chairman Wu. Does anyone else want to comment on this
reidentification problem?
Dr. Blumenthal. Mr. Chairman, it is very much on our minds
as we go forward at the Office of National Coordinator. We do
have a study that is ongoing. I think we are going to have to
look at the science of deidentification and identification, if
you will, and come to a consensus on what level of risk we can
tolerate for reidentification and then what level of removal,
what kinds of removals of information are required to get to
that level of risk, and that is going to require that we
continually look at the Internet and the information that is
available, and it is not going to be a one-time judgment. It is
a judgment that we are going to have to continue to make based
on how the technology advances. But it is something that we
recognize is critical to assuring public trust and enabling
some of the most valuable uses of information to go forward.
Chairman Wu. Thank you. Earlier we had a sidebar discussion
about proper compensation for Meaningful Use. There will be
compensation for Meaningful Use from Medicare and Medicaid. To
what extent would compensation from private insurers be helpful
in the uptake of health care information technology?
Dr. Blumenthal. We think, at the Office of National
Coordinator, it would be extremely valuable. The Federal
Government does pay for probably 40 percent, roughly, of the
health care bill but there is another 60 percent that benefits
from the availability of health information technology. In
August we actually worked with some of the major insurance
companies to help to get them to agree to begin to incorporate
meaningful use in their pay-for-performance programs. So United
Health Care, Aetna, and Wellpoint all agreed that they would
start to look for Meaningful Use as an indicator of either high
performance or quality improvement and United Health Group said
that they were going to launch a pilot project to make loan
funds available in two states for physicians who want to adopt
electronic health records.
Chairman Wu. And how much of a bump are the private
insurers considering for Meaningful Use?
Dr. Blumenthal. You mean how much are they willing to put
on the table? I think that remains to be seen. We are going to
keep working with them. We are actually going out to meet with
the Blue Cross Association in a month or so to talk about the
same issue. What I can assure you is that we will continue to
work with them to try to make sure or try to assure that their
contribution is a meaningful contribution.
Chairman Wu. Ms. Bass.
Ms. Bass. Thank you, Chairman Wu. I would like to comment
on this as well. Blue Cross Blue Shield of Nebraska has been a
significant player in the implementation of HIE and they
currently pay a license fee of $25,000 a year plus a dollar per
member per year and we are talking about increasing that levy
to $1.50. So they have been an active participant but I will
tell you that we have also met with the other providers or the
other payers in the State of Nebraska and they are somewhat
hesitant to play a role in this, and their answer,
understandably so, is that we deliver health insurance on a
national perspective so we are looking for a national strategy
versus having to accommodate state by state. So again, to be
able to help us find a way around that obstacle, it is critical
that we have them participate.
And then to go back to your previous point about the
deidentified/reidentified data, that was a huge issue for us as
we developed our privacy and security policies, and hence--we
were talking about this prior to the HITECH Act. So originally
we were designed for treatment and payment purposes only, but
even to this point in time we only provide eligibility
verification for Blue Cross Blue Shield and it is because of
this fear of reidentification, and we have excluded all
research for that fear.
Chairman Wu. Thank you.
Dr. Gibson, my understanding is that there is a private
insurer in Portland, Oregon, which provides some compensation
for use of health information technology to private providers.
Can you tell us something about that?
Dr. Gibson. I am sorry. I am unaware of that. I am sorry I
am not able to contribute. Can you give more----
Chairman Wu. I think it is the Providence Group. I am not
completely confident of that.
Dr. Gibson. Okay. That they would provide funding for
sharing of health information? Yes.
Chairman Wu. That is, if the record--if reimbursement is
submitted to Providence, that Providence would provide a small
bump in the reimbursed amount.
Dr. Gibson. Oh, the Providence health plan does provide--I
apologize, Chairman Wu. You are absolutely right. Providence
health plan does provide--give extra one percent payment to
physicians if they have an electronic health record.
Absolutely. Thank you for reminding me.
Chairman Wu. It is one percent?
Dr. Gibson. One percent.
Chairman Wu. Thank you very much, Dr. Gibson.
Dr. Gibson. Thank you.
Chairman Wu. Mr. Smith, do you have any further questions?
Mr. Smith. Just one briefly.
Dr. Blumenthal, it is my understanding that some large
organizations, health care organizations, kind of are early
adopters and they have been innovative. How do we dovetail what
they have already done and how do we take that into account,
you know, without rendering the progress that they have made
useless or certainly the expenditures that they made
worthwhile?
Dr. Blumenthal. Well, fortunately, though the United States
lags behind most of the western world in its adoption and use
of information technology in health care, there are some large
organizations that are leaders in the United States and I think
are as far along or further along than any place else in the
world, and these are organizations whose names we would all
recognize, places like the Mayo Clinic and the Cleveland Clinic
and Intermountain Health Care in Salt Lake City, and so that is
good news. They will, because of their farsighted investments,
be eligible for Meaningful Use compensation just as any other
organization would be. We are trying to take advantage of the
lessons they have to learn--they have to teach, and we
certainly engage them. We engage them in our Policy Committee.
We have representatives from Intermountain on our Policy
Committee, for example, as well as from the Rankin Street--on
the Standards Committee, someone from the Rankin Street program
which is in Indianapolis, which is another leader in health IT.
So we take advantage of their input on an almost daily basis in
terms of our policy development.
Our learning--our effort to enhance the adoption of health
information technology works to a large degree through a
program called the Regional Extension Center Program. This is a
program that is actually modeled on the USDA Agriculture
Extension Program, and its goal, if I can sort of over-
generalize and over-simplify, is to bring the latest
information technology of the family doctor the way the U.S.
Agriculture Extension Service brings technology to the family
farm. That group, that program is oriented towards small
practices and underserved areas including rural areas and to
critical access hospitals. Now, they will be trying to channel
the lessons that have been learned elsewhere in our health
system to make them available to the least well-resourced,
least IT-sophisticated members of the health care community,
and that is why we have focused them on small primary care
practices in underserved areas and critical access hospitals,
but they will create learning communities that we hope will
take advantage of the latest progress that has been made.
Mr. Smith. And then very briefly, we have heard a little
bit about the ARRA funds, they are going to go away, and Dr.
Blumenthal, can you speak to how that might be addressed long
term? I mean, can we achieve a lot with a one-time expenditure
as opposed to maintaining the need for a budget line item in
perpetuity?
Dr. Blumenthal. Well, one way to think about the ARRA
funding is as a pump primer, so ultimately the use of health
information technology in my view is a part of the business of
health care and it should be a private sector responsibility. I
think the investment that the Congress and the Administration
have made was meant to correct a market failure which stemmed
from the fact that we don't sufficiently reward providers for
care for high performance, lower cost, higher quality. We pay
them by piecework whether it is a high-quality or high-cost
product or a low-quality product. So there wasn't an incentive
to pay the money that is required in order to get health
information technology so I think we needed to prime the pump.
We will very soon, I think, see that it becomes an
essential part of providing care to the American people, one
that physicians, nurses, health care institutions don't feel
they can afford not to have, and at that point I think the
Federal Government and my office can pass the baton to the
professional community, to the hospitals, the nurses of the
country, and the market will take off and do its own work for
the American people.
Mr. Smith. Okay.
Dr. Gibson. I thoroughly agree with Dr. Blumenthal. If you
survey providers a year after they have gone on an EHR, 90
percent of them say they would never go back to paper, so they
realize the benefits. It is that intervening year that I think
that the priming of the pump that Dr. Blumenthal's office and
CMS have provided for is adequate to the degree that it will
stimulate doctors to switch over. Once they get over, there
will be a network effect. They won't be able to communicate as
easily with their colleagues without an electronic health
record. I think that consumer pressure will be such that,
``gee, doctor, don't I have access to your records; if not, why
not?'' So I believe that that will take over and I don't see a
longstanding line item in the budget for this.
Mr. Smith. Ms. Sensmeier?
Ms. Sensmeier. Yes. Another thing to note is, since 1994
HIMSS has sponsored the Davies Award, which awards
organizations and public health systems, community health
organizations and private practices for implementing electronic
health records, and it is notable that they all identify the
return on investment for them. I mean, it is certainly a huge
investment up front but at the end they have improved their
processes and really all of them have achieved cost savings, so
that is noteworthy as well. And two of them are from the State
of Oregon, two of the winners, Chairman Wu.
Mr. Smith. Ms. Bass.
Ms. Bass. Thank you. We take that call from the ONC to be
sustainable within four years very seriously, and we are
already beginning to see some of the opportunities just as the
web services came from the World Wide Web, we are beginning to
see HIE services, and I visited with a group this morning about
some of the things that we are doing to be able to generate
revenue, and I can go into detail on some of those but we are
very confident that we will be seeing many opportunities to
create revenue through the health information exchange.
Mr. Smith. Okay. Thank you, Mr. Chairman.
Chairman Wu. Thank you.
Many of you traveled long distances and also spent a lot of
time and energy preparing your testimony, and I want to give
you all an opportunity to add anything to your testimony that
we have not asked about today.
Dr. Blumenthal. I just want to express my gratitude to the
Congress for putting in place the HITECH Act. I think it is a
superb piece of legislation that as I have gotten to know it
and trying to implement it, I have been impressed at how it
addresses almost all the major issues that we need to address
with respect to the implementation of an electronic health
system in the United States. That is not to say it is going to
be easy but I think you have given us a great start. So my
appreciation to you and your colleagues.
Chairman Wu. Thank you, Dr. Blumenthal.
Anyone else?
Ms. Roberts. I would like to echo his comments as well as
to thank the Committee for recognizing NIST's role in health IT
and ensuring that we are involved as a partner with ONC in
making this go forward. Thank you.
Chairman Wu. We appreciate NIST's work.
Ms. Sensmeier.
Ms. Sensmeier. Thank you, Chairman Wu. I just would like to
briefly go back to your comments on the workforce and I want to
emphasize how important that is, and also recognize the role of
nurses in this process. It is often a silent voice, and there
are 3.1 million of us out there and there are approximately
9,000 informatics nurses working in the United States helping
to implement and lead these projects. So it is critical work
and I appreciate the support that you have put to the workforce
efforts in making sure we all have the competencies for
informatics we need to do this work.
Chairman Wu. Thank you very much.
Dr. Gibson. I also would like to commend Congress for the
HITECH Act, the Meaningful Use final rule, and the remarkable
cooperation between the Office of the National Coordinator and
the Centers for Medicare and Medicaid Services who have brought
order out of chaos within electronic health records. We now see
where we need to go. I think it will be very challenging to get
there. I also want to state that I believe that this
information technology is crucial in terms of bringing down
health care costs in the long run. We are not the answer. We
are an enabling technology that ultimately will allow all the
care to be subject to review and comparison to national
scientific standards, and I think it will be a useful
technology in the long run as we work on the challenging
problem of health care and health care cost and quality. Thank
you for allowing me to testify.
Chairman Wu. Thank you very much.
Ms. McGraw.
Ms. McGraw. I feel like I got some good opportunities to
speak so I don't have anything to add but I am happy to follow
up with additional information such as ideas about the
deidentification/reidentification issue, the security issues I
raised and anything else in my testimony.
Chairman Wu. Thank you.
Ms. Bass.
Ms. Bass. I too would like to echo, thank you for the work
that you have done. It has been outstanding.
One point I do want to make when we are talking about
enabling EHR to talk to other EHRs to be aware of the interface
fees that can be obstacles, and I just wanted you to be aware
of that piece of information. Also, I would like to close with
the fact that I too was a registered nurse for 20 years before
I went into technology, and I am very thankful that because of
the work you are doing, people are no longer asking me what
technology has to do with nursing. Thank you.
Chairman Wu. Thank you very much, and thank you all for
appearing before the Subcommittee this afternoon. The record
will remain open for two weeks for additional statements from
Members and for questions to any follow-up questions the
Committee may ask of the witnesses. The witnesses are excused
and the hearing is adjourned. Thank all very, very much.
[Whereupon, at 11:31 a.m., the Subcommittee was adjourned.]
Appendix 1:
----------
Answers to Post-Hearing Questions
Responses by Dr. David Blumenthal, National Coordinator for Health
Information Technology, Office of the National Coordinator,
U.S. Department of Health and Human Services
Questions submitted by Chairman David Wu
Q1. As your testimony describes, there are many health IT
implementation activities currently occuring around the country. Could
you please describe how the standards needed for all of these
initiatives, such as state and national health information exchanges
and meaningful use, are being coordinated by the Office of the National
Coordinator?
A1. The Health Information Technology for Economic and Clinical Health
(HITECH) Act includes several sections that authorize the Office of the
National Coordinator for Health Information Technology (ONC) to
coordinate standards activities and, in so doing, assure that
meaningful public input is obtained.
The HITECH Act established two Federal Advisory Committees (the HIT
Policy Committee and HIT Standards Committee) from which we regularly
seek recommendations. Each committee plays a specific role with respect
to standards coordination. The HIT Policy Committee is charged with
recommending the areas in which standards, implementation
specifications, and certification criteria are needed for the
electronic exchange and use of health information as well as a priority
order for the development, harmonization, and recognition of standards,
implementation specifications and certification criteria. The HIT
Standards Committee is charged with recommending to the National
Coordinator the standards implementation specifications, and
certification criteria developed for the electronic exchange and use of
health information. It is also responsible for recognizing harmonized
or updated standards from an entity or entities for the purpose of
facilitating the achievement of uniform and consistent implementation
of such standards and implementation specifications. Finally, once HIT
Standards Committee recommendations are issued to the National
Coordinator, the HITECH Act requires that the National Coordinator must
determine whether to endorse each standard, implementation
specification, and certification criterion recommended for the purposes
of adoption by the Secretary under section 3004 of the Public Health
Service Act.
Among these activities and within this statutory context, ONC has
also recently developed and established the Standards and
Interoperability Framework (the Framework) to proactively identify
areas requiring standards harmonization, development, and coordination
across the many activities in which we are engaged.
The Framework seeks to implement a coordinating process that is
inclusive of SDOs, the provider community, and the public with the
purpose of developing and harmonizing standards and specifications. The
Framework supports the coordination of standards from the
identification of a particular challenge requiring new or harmonized
standards, to the testing and certification criteria that are necessary
to ensure compliance with those standards.
Each step in the Framework is meant to engage affected and relevant
stakeholders to assure full participation and involvement from
qualified, knowledgeable resources. This is especially important in
working with healthcare standards, which in most cases have been
developed by collaborative processes external to the Framework and
which have a cumulative body of knowledge to draw from.
Q2. What efforts is the Federal Government involved in to help
coordinate and align U.S. health IT standards with those used
internationally?
A2. ONC has been regularly involved in international health IT
standards coordination meetings with leadership from a number of
countries including Canada, the UK, and Australia. Earlier this month,
ONC staff participated in a meeting convened in Cambridge, MA by Health
Level 7 International (HL7) to discuss standards development and
coordination.
Across our international partners, there is an interest in finding
commonality in health IT standards, and significant progress has been
made, including the widespread adoption of international standards such
as the Systematized Nomenclature of Medicine - Clinical Terms (SNOMED).
SNOMED originated as a U.S.-England collaboration, but is now
maintained by The International Health Terminology Standards
Development Organisation (IHTSDO). This summer, the IHTSDO announced an
agreement with the multi-lateral World Health Organization (WHO) to
integrate SNOMED into the WHO's international classification of disease
(ICD) terminology.
Additionally, ONC is supporting, along with the Healthcare
Information and Management Systems Society (HIMSS) and the American
Health Information Management Association (AHIMA), a US-led Secretariat
to the technical advisory group (TAG) for ISO TC 215, the international
standards organization for health care standards.
Q3. You mentioned that ONCHIT is working on a study regarding the de-
identification of private data. When will this study be published?
A3. The draft report associated with the study was recently submitted
and is currently under review by ONC and the HHS Office for Civil
Rights, because of its relevance to the HIPAA Privacy Rule. Given that
the report may require further revisions in response to questions and
comments from our respective offices, we cannot, at the present time,
predict a specific publication date for the report. We do, however,
intend to make it publicly available as soon as possible. We would be
happy to furnish your staff and the committee staff with a copy of the
final version of the report as soon as one becomes available.
Questions submitted by Representative Paul D. Tonko
Q1. CMS has announced that it will promulgate regulations for the
HITECH Act in three stages. Stage 1 measures focus on capturing and
sharing data. Stage 2 will target advanced care processes with clinical
decisions support services. Stage 3 will concentrate on improving
health care outcomes. It appears that results from Stage 1 will heavily
influence the regulatory process in later stages.
A1. CMS received numerous comments from providers, advocates, and
Congress on the proposed rule for the Medicare and Medicaid EHR
Incentive programs which included Stage 1 of meaningful use. We
carefully evaluated these comments and tried to accommodate concerns in
a way that provides flexibility for providers while moving forward on
the adoption and meaningful use of certified EHR technology. During
future rulemaking for the other Stages, we plan to take a similar
approach to engage stakeholder input as well as take into account our
experience and results from Stage 1.
For Stage 1 measures, we worked to meet the statutory objectives of
improving the quality of health care, reducing medical errors, reducing
health disparities, increasing prevention, and improving the continuity
of care among health care settings. Further, we identified core
objectives that are both patient-centered and crucial to laying the
foundation for obtaining value from meaningful use. For example,
providing electronic copies of health information to patients will not
be useful if the copies do not contain basic information such as a
problem list, medication list, or allergy list.
We provided some possible specificity about Stage 2, but will not
finalize details about other stages until later rulemaking. There are
two reasons for this.
1. We want to get results from Stage 1 to help us determine if
the requirements that we have set are appropriate.
2. Many of the requirements for later stages will be dependent
on infrastructure improvements that are anticipated over the
next several years due to HITECH funding.
Q2. How does CMS/HHS plan to measure physician progress and challenges
associated with implementing Stage 1 before moving to alter stages?
Will CMS/HHS gather data from a range of physician stakeholders before
implementing later stages?
A2. ONC is taking a number of actions to gather input from physician
stakeholders. First, ONC's Office of Provider Adoption Support--in
collaboration with the ONC funded Regional Extension Centers--has
launched the Meaningful Use Vanguard (MUV) program, identifying
providers who are committed to leading the way in meaningful use of
certified EHR technology. The program is designed to support feedback
mechanisms for Stage 1 implementation, future stages, and monitoring
the general progress and barriers of the program. ONC will provide
quantitative and qualitative data collected from MUV to the HIT Policy
Committee, as that federal advisory committee deliberates and makes
recommendations to the National Coordinator for Stages 2 and 3. Second,
ONC is undertaking a new survey effort in cooperation with the National
Center for Health Statistics to obtain information from a nationally
representative set of physicians at various stages of EHR adoption
about the barriers to and benefits of achieving the Stage 1 meaningful
use criteria. Finally, Dr. Blumenthal has personally undertaken a set
of outreach efforts, meeting with professional groups across the
country to hear about their progress and challenges.
CMS is working to educate providers about the EHR incentive program
and meaningful use, and tailoring outreach efforts based on the
questions received from stakeholders. CMS has posted over 100
frequently asked questions and answers on its website, and will soon be
posting meaningful use specifications for each meaningful use measure
to further educate providers on all of the objectives. CMS will also be
monitoring the participation in the Medicare and Medicaid EHR Incentive
Programs, to determine if particular segments of the provider community
such as certain physician specialties or geographic locations are
having more difficulty registering or successfully demonstrating
meaningful use. This data will enable CMS to target its outreach
efforts strategically. Through the attestation data that CMS will begin
collecting in April 2011, they will be able analyze if some of the
measures are more challenging to achieve than others. Both CMS and ONC
intend to fully leverage all available data collected as well as
program experiences with implementing stage 1 for purposes of informing
later stages of meaningful use criteria.
Questions submitted by Representative W. Todd Akin
Q1. A number of traditionally hospital-based physicians are eligible
for incentives under the HITECH Act program. Some of these physicians
are concerned that the rules and the ``meaningful use'' requirements
released to date don't necessarily apply to the way they actually
practice or use electronic health records. What are the plans to ensure
that hospital-based physicians, such as anesthesiologists, pathologists
and radiologists, who are deemed eligible for the incentives, are able
to successfully participate in the program?
A1. The Medicare and Medicaid meaningful use incentive programs final
rule conforms to the Continuing Extension Act of 2010 which addresses
provider concerns about hospital-based providers in ambulatory settings
being unable to qualify for incentive payments by defining a hospital-
based eligible professional (EP) as performing substantially all of his
or her services in an inpatient hospital setting or emergency room
only. Hospital-based EPs are those who furnish 90 percent or more of
their covered professional services in a hospital inpatient setting, or
hospital emergency department and thus are not eligible for incentive
payments.
CMS understands the scope of the Medicare and Medicaid EHR
incentive programs is vast and that doctors and hospitals across the
country have varying degrees of awareness of EHRs and of the program.
As a result, CMS is conducting wide-scale outreach to educate those
eligible for the program--hospitals and eligible professionals, as well
as States, and provider stakeholders. Outreach has already started and
will continue for the coming months and years to prepare and encourage
participation by all who are eligible. Some accomplishments and plans
to date include:
CMS conducted awareness tracking among potential
participants to gauge levels of knowledge and inform outreach
efforts. This tracking will continue as the program launches.
CMS established a specific website for the program on
cms.gov and are actively promoting it through all related
communications channels reaching these audiences. This website
provides detailed information about eligibility, requirements,
how to participate, and more in digestible portions to assist
providers with learning and understanding the information. This
website will continue to grow with content and tools for
providers to learn about the program.
CMS facilitated, in conjunction with ONC, a bi-weekly
hospital and provider stakeholder call to share information and
receive feedback from the field. The stakeholders are committed
to helping in the educational effort of their constituents.
CMS continues to conduct training for multiple
audiences, including rural providers, through open door forums,
CMS-hosted trainings, presentations at key conferences and
webinars, partnering with ONC both at the national and local
levels.
HHS is actively engaging its 10 Regional Offices to
promote and educate on the program through local activities and
collaboration with the States and ONC Regional Extension
Centers.
In the coming months surrounding the launch of the programs, we
will be promoting the program through both traditional and non-
traditional media as well as introducing an Incentive Program
Information Center to assist those participating in the program and to
answer their questions.
Questions submitted by Representative Paul C. Broun
Q1. As a primary care physician with over three and a half decades of
clinical experience, I understand the importance a patient's laboratory
data has towards a proper patient diagnosis. This laboratory data is
essential to many of the quality measures in the Final Meaningful Use
rule (rule). How have you addressed the funding challenges between the
necessary interfaces of laboratory information systems, where
pathologists house patient laboratory data, and Electronic Health
Records (EHR)? In particular, smaller laboratories need financial
assistance in acquiring these interfaces, which at this time, only
large national laboratories can afford.\1\
---------------------------------------------------------------------------
\1\ See page 4, bullet point 6 in the attached March 15, 2010 Small
Business Administration, Office of Advocacy letter to Charlene M.
Frizzera, Acting Administrator of the Centers for Medicare and Medicaid
Services.
A1. The ability to electronically receive laboratory test results is an
important tool for improving patient care and we recognize that certain
financial and technical challenges need to be overcome to realize all
of the benefits that this HIT can provide. We are engaged in several
efforts that we hope will help tip the scales and lower the costs and
barriers to obtaining and implementing laboratory interfaces. Our
Regional Extension Centers are working with health care providers to
help them become meaningful users and in doing so are providing
training and support services related to EHR adoption; offering
information and guidance to help with EHR implementation; and giving
technical assistance as needed. A primary focus of this activity is
working with providers and EHR vendors on implementing interfaces, with
an immediate priority on lab interfaces. The state health information
exchange grantees are working and partnering with both national and
---------------------------------------------------------------------------
smaller independent labs on several fronts:
Gaining participation of clinical laboratories in
health information exchange networks so that providers can
receive lab results from several labs with a single interface.
Providing financial and technical support to
independent and hospital labs to defray the costs of
establishing laboratory information system interfaces.
Advancing adoption of LOINC standards through
translation and validation services and value sets, to make it
easier for providers to incorporate and use labs results in
EHRs.
Finally, the Nationwide Health Information Network Direct project
we are leading is developing technical specifications and reference
implementations that we also anticipate will lower the cost of
establishing interfaces.
Q2. Given the rule's numerous measures that eligible health care
providers must meet to receive EHR incentive funding and prevent
financial penalties after 2015, how will you deal with eligible health
care providers who regrettably fail to meet the rule's numerous
required measures? For example, some pathologists who practice outside
of a hospital may be eligible for funding, but they do not evaluate
some of the measures included in the final rule due to not having
direct patient contact that most of the rule's measures envision.
A2. In accordance with the statute, eligible health care providers must
be able to demonstrate meaningful use of certified electronic health
record (EHR) technology by 2015 in order to avoid negative Medicare
payment adjustments in future years. While the Medicare and Medicaid
EHR Incentive Programs have similar reporting requirements, the
Medicaid Incentive Program does not include payment adjustments for
eligible professionals and hospitals who are unable to successfully
demonstrate meaningful use.
The use of EHRs among eligible health care providers varies greatly
by specialty, and CMS understands that not all measures will apply to
all providers. The requirements of meaningful use for Stage 1 have been
adjusted to be more flexible based upon comments received during the
rulemaking process. The measures have been divided into a core set and
a menu set. Where it may be impossible for an eligible professional
(EP) or eligible hospital to meet a specific measure, an exclusion is
defined in the final rule. If an exclusion applies to an EP or eligible
hospital, then such an EP or eligible hospital does not have to meet
that measure in order to be determined a meaningful EHR user. For
instance, if an EP such as a pathologist writes fewer than one hundred
prescriptions during the EHR reporting period, then the EP would be
excluded from meeting the measure associated with electronically
prescribing medication. Added flexibility also allows eligible
providers to defer reporting on up to five menu set measures.
The requirements for meaningful use for Stage 2 and 3 of this
program will be set through open and transparent rulemaking.
Consideration will be given to public comment from stakeholders during
future rulemaking. HHS anticipates the need to make changes into
account to the overall HIT infrastructure and lessons learned from
Stage 1 implementation for implementing future stages of the program.
Answers to Post-Hearing Questions
Responses by Ms. Kamie Roberts, Associate Director for Federal and
Industrial Relations, Information Technology Laboratory,
National Institute of Standards and Technology
Questions submitted by Chairman David Wu
Q1. You testify that NIST is heavily engaged in usability research.
What are some of the challenges currently associated with usability?
How does NIST establish the priorities for this research? How does NIST
ensure that the research is utilized?
A1. Usability is fundamental to the adoption of health IT. It enables
users--in the case of healthcare clinicians and consumers alike--to use
products quickly and easily to accomplish their goals. Usability of
health IT systems can offer efficiencies of scale in improving
healthcare and reducing disparities, and enable more effective use of
information technology to improve health and maintain wellness.
Challenges in achieving usability in health IT systems include:
designing systems to support tasks, not complicate them, so that
clinicians can focus on their patients; designing effective user
interfaces that reduce complexity of operations and training time;
establishing consensus based usability standards with quantifiable test
methods to assess compliance with the standards; and, determining
specific objective pass/fail criteria for usability certification.
NIST sets priorities for this research by collaborating with and
receiving input from many individual stakeholders in the public and
private sectors, including Federal agencies, standards development
organizations, professional societies and non-profit organizations,
academia, healthcare delivery organizations, industry, and consumers.
Extensive input from these parties was critical to the NIST-led
development of a usability road map focusing on R&D priorities.
Recently, NIST, the Department of Health and Human Services' Office of
the National Coordinator for Health Information Technology (ONC) and
the Agency for Healthcare Research and Quality (AHRQ) held a workshop
to further refine the road map by determining a prioritized list of
short, medium, and long-term strategies to improve usability of
electronic health record (EHR) systems.
To help ensure that the usability research is utilized, NIST is
providing stakeholders with focused guidance on usability and
accessibility, such as methods for building usability into product
design and development from the beginning. NIST is also disseminating
the research outcomes broadly to the stakeholder community through
workshops, publications and presentations at key health IT meetings and
conferences. In addition, NIST's collaborations with the ONC will
enhance development of data on usability in the event that
certification criteria in this area are considered in the future.
Questions submitted by Representative W. Todd Akin
Q1. A number of traditionally hospital-based physicians are eligible
for incentives under the HITECH Act program. Some of these physicians
are concerned that the rules and the ``meaningful use'' requirements
released to date don't necessarily apply to the way they actually
practice or use electronic health records. What are the plans to ensure
that hospital-based physicians, such as anesthesiologists, pathologists
and radiologists, who are deemed eligible for the incentives, are able
to successfully participate in the program?
A1. NIST's efforts focus on enabling adoption of health IT by
accelerating standards development and testing efforts within the
health IT domain. Questions related to the meaningful use criteria and
physician incentives are under the purview of the Department of Health
and Human Services.
Answers to Post-Hearing Questions
Responses by Ms. Joyce Sensmeier, Vice President, Informatics,
Healthcare Information and Management Systems Society
Questions submitted by Chairman David Wu
Q1. In your testimony, you note that ``data transport and basic
security are focus areas where selected standards [for meaningful use]
are missing,'' and that having these standards available would make it
much easier for vendors to prepare for phase two of meaningful use.
Has the Office of the National Coordinator, or any other body,
developed a standards roadmap, that would help software developers and
device makers build products that meet future requirements? Would such
a roadmap or guide be beneficial?
A1. We are not aware of a publicly available national standards roadmap
or guide. We do agree that such a roadmap would help software
developers and device makers build products that meet future
requirements. A standards roadmap would also allow the industry to work
in a coordinated effort to plan future software development cycles and
implement standards in a manner that builds on a consistent foundation
to more advanced capabilities.
However, we would like to clarify that when we stated ``data
transport and basic security are focus areas where selected standards
[for meaningful use] are missing,'' we were not saying that there are
standards gaps, or that additional standards need to be developed for
these focus areas. Many data transport and basic security standards are
already published and available; they simply need to be selected by CMS
and ONC for future stages of meaningful use and certification criteria.
Q2. Included in the NIST FY2011 budget request is a $10 million
initiative for Standards and Conformity Assessment for Interoperability
in Emerging Technology. What level of funding do you believe is
necessary to support NIST's health IT activities? If more funding were
available, what priorities would you recommend to support standards for
interoperability and related measures?
A2. Without knowing what requirements are included in the NIST FY2011
budget request, it is difficult to suggest a necessary level of
funding. However, priorities for this funding should address the need
for a broad and extensible test infrastructure which is critical to
ensure standards-based interoperability between health IT applications.
This infrastructure should include a modular, web-based testing
environment that provides a variety of conformance and interoperability
testing services to support instance validation testing, isolated
system testing, and peer to peer system testing.
Answers to Post-Hearing Questions
Responses by Dr. Richard Gibson, President, Oregon Health Network
Questions submitted by Chairman David Wu
Q1. The meaningful use criteria require that providers do a risk
assessment to gauge the appropriate level of security they will need
for their health IT systems. What type of experience do physicians have
in performing security risk assessments? What resources exist to help
them?
A1. Most small physician practices have no experience in performing
security risk assessments. Larger physician offices could possibly
already have someone on their staff familiar with IT security risk
assessments especially if they are currently supporting their own in-
house electronic health record. Even in the larger physician offices,
they are likely to be rusty on risk assessment skills. With a checklist
provided by a Regional Extension Center or by their specialty society,
an experienced staff member might be able to carry out their own
security risk assessment for that larger physician office. Smaller
physician offices are unlikely to be able to perform this assessment
without significant help. Perhaps a small physician office could
perform their own security risk assessment if they were provided a
plainly written, nontechnical, detailed checklist with full
explanations of each risk topic. The staff member or physician could
read the explanation of each question and be guided through how to
indicate their level of risk on each topic. Generally, I am not aware
that there are many resources currently available to help physicians
with IT security risk assessments. It is certainly not a routinely
advertised or discussed service among physicians. There is an
opportunity for private firms to compete in offering a fixed price IT
security risk assessment based on the size of the physician practice. I
can envision many smaller and some larger practices taking advantage of
this route as they might be uncomfortable making their own risk
assessment.
Answers to Post-Hearing Questions
Responses by Ms. Deven McGraw, Director of the Health Privacy Project,
Center for Democracy and Technology
Questions submitted by Chairman David Wu
Q1. The meaningful use criteria require that providers do a risk
assessment to gauge the appropriate level of security they will need
for their health IT systems. What type of experience do physicians have
in performing security risk assessments? What resources exist to help
them?
A1. The security risk assessment required by the meaningful use
criteria is essentially the same risk assessment required by the
security regulations under the Health Information Portability and
Accountability Act of 1996 (HIPAA). However, the Security Rule applies
only to electronic protected health information. Consequently,
providers who are adopting electronic health records for the first time
have no experience in conducting these risk assessments. Further,
providers who are upgrading existing systems may have little-to-no
familiarity with the new, more advanced security features and functions
present in certified EHR technology. Providers in small practices may
not have the resources to hire in-house IT security professionals.
For these risk assessments to be effective, it is essential that
providers perform them effectively. To help providers comply with the
HIPAA security rule, there are written materials on the websites of
both the Centers for Medicare and Medicaid Services (CMS) (which, until
recently, enforced the HIPAA security rule) and the HHS Office of Civil
Rights. These resources are a good start, but they are not sufficient
to ensure that providers participating in the meaningful use program
are actively implementing adequate security. Vendors of certified EHR
technology should educate their provider customers on how to deploy the
EHR security functionalities--but vendors are not a good, consistent
source of support on how to comply with security laws, or to implement
good security practices.
CDT has recommended that the Regional Extension Centers (RECs)
established in the HITECH legislation provide hands-on assistance to
providers to implement the security risk assessment. However, it is not
clear that the Regional Extension Centers have the expertise to
adequately take on this role. Also, given that providers need only
attest that they have performed a security risk assessment, is unclear
that the security meaningful use provisions will be much of a priority
for the RECs. It will be important to monitor compliance with the
security meaningful use provisions during Stage 1 of the program to
ensure that consistent implementation of good security practices is a
top priority.
Appendix 2:
----------
Additional Material for the Record
Letter to Charlene M. Frizzera, Acting Administrator, Centers for
Medicare and Medicaid Services, Department of Health and Human
Services, from Susan M. Walthall, Acting Chief Counsel Advocacy, and
Linwood L. Rayford III, Assistant Chief Counsel for Food, Drug, and
Health Affairs, Small Business Administration, dated March 15, 2010,
Submitted by Representative Paul C. Broun