Maybe MAeHC can help teach the New York Times a thing or two.....

Today's New York Times has an article on a recent security incident that we experienced at MAeHC.  The reporter, Nicole Perlroth, does a pretty good job of bringing together different pieces of the story.  Even tries to give it some Bourne-like suspense -- I guess I'd allow Matt Damon to play me in the film version (though I would have to insist that he get in better shape first).

No story is perfect though, and this one had its share of limitations:

It didn't cite the blog post or the HISTalk Practice website that inspired the story and that accounted for much of the article's content.  OK, so I'm not a journalist, but this seems like a pretty shaky practice.  The storyline comes from the blog, not from the very short interview that I had with the reporter.  Furthermore, if my blog account had been an article in, say, Health Affairs, they would have cited both the article and the journal.  [Update Note:  I forwarded a link to this post to the New York Times and they have now added a link to my HISTalk blog post in the on-line version of their article.  Thank you NY Times for your responsiveness!]

The article notes that electronic breach reports have increased in recent years and while that is true, a closer look at the numbers reveals that that doesn't necessarily mean that there are more breaches.  There are 2 important subtleties behind this.  First, reporting requirements have increased so people have to report more now than they have in the past.  In addition, electronic systems have generally better ability to detect breaches in the first place.  This is not only due to technologies such as intrusion detection, user-based activity logging, etc etc, but also because physical devices are easier to track and manage than paper systems -- it may be easy to gloss over a few misplaced paper charts, but you can't hide the fact that you lost a laptop.  So, the fact that breach reports are up may just reflect better detection and reporting and not necessarily more breaches.

Second, the article suggests that electronic systems increase the risk of breaches.  As I explained to the reporter, I believe that electronic systems are more secure than paper/fax, but there is a trade-off in the type of risk that they introduce.  I liken this to the difference between auto accidents and plane accidents.  Auto accidents happen very frequently but with fairly contained consequences, whereas plane crashes are rare but can be disastrous.  The latest OCR report to Congress on breaches reports something like 25K small breaches (fewer than 500), a very large fraction of which are paper/fax incidents. 

Finally, I found it a little ironic, that while the NYT article itself is an important step toward educating the public about the real issues surrounding the loss of electronic patient information, it glossed over the steps we've taken to educate the industry – like writing the post that lead the Times to the story in the first place.  I think it was a bit of a missed opportunity to encourage organizations that have similar experiences to follow the path of full disclosure that we did.

Meeting halfway

Those of us focused on health IT are spending a lot of time and energy on bringing the technology to where the patients are. Interoperability is crucial because patients get care in so many different places, and through Regional Extension Centers and other programs we're trying to get EHRs into the hands of small and independent practices at the far reaches of the health care delivery system, again, because that's where the patients are. Something like 80% of practices are small practices, and 90% of outpatient encounters are in those small practices.

I've been wondering recently about whether we're going through a Copernican revolution where the patients come to the IT rather than having us bring the IT to the patients. My own personal experience started my thinking on this. I used to get my care from a small practice primary care physician in Wellesley MA -- great guy, good doctor, gives 110% every day. But he didn't have an EHR (still doesn't) and it was basically my responsibility to get specialist records back to him to make sure that he had the whole picture of my care. I switched to Harvard Vanguard not only because they have an excellent EHR but because they are multi-specialty as well. When I need a specialist I no longer scour all of Boston for the best specialist -- I only look within the Harvard Vanguard system because I want to make sure that my records are kept on the same EHR. What I might be sacrificing on the quality of an individual specialist I'm more than gaining back in having all of my physicians reading from the same page (literally).

Since my Wellesley doctor couldn't solve the interoperability issue, I solved it myself by eliminating it. My wife gets her care at the Brigham, and I've increasingly seen her focus her decision-making in the same way -- she has eliminated the need for interoperability by limiting her choice of specialists to those who are on the Brigham's EHR.

Maybe this is just a family thing. But I started thinking otherwise after I heard a very interesting story yesterday on NPR and Kaiser Health News on consolidation of the health care delivery market, and in particular, the increasing share of outpatient physicians employed by hospitals. As the story reports, almost 20% of physicians work for hospitals today, but 50% of new physicians are taking jobs with hospitals. The looming prospect of Accountable Care Organizations' becoming the operational unit of health care delivery will put increasing pressure on hospitals and physicians to keep patients within their care delivery network. Changes in health plans that limit patient choice will also drive patients to stay in closed networks. All of these trends will increasingly funnel patients into health care delivery networks that also happen to be connected on IT networks.

There could certainly be many bad affects from such consolidation, such as higher oligopolistic prices, less customer choice, the demise of solo practices that are an iconic part of the American fabric, etc etc. But from a health information exchange perspective, it's only to the good if we can get more patients to meet us halfway on the road to interoperability.

Provider Directories

The Information Exchange Working Group of the Health IT Policy Committee had a public hearing today on the topic of Provider Directories. The FACA Blog has some background on the issues that we covered today. We have a lot of information to process regarding some very complex issues and unfortunately on a very compressed timeline. Some of the major themes that came out of today's hearing are:

• We've got to get rid of the "yellow pages" and "white pages" analogies to Provider Directories. It's fraught with all of the general flaws of analogies, but more important, as my co-chair David Lansky said, "no one under 30 will know what we're talking about."

• That said, it is useful to distinguish directories that support machine-to-machine routing from those that have more of a lookup role that might be focused more on use cases involving person-in-the-loop functions. Arien Malec noted that while the latter might initially be used more by humans, there would be interesting applications for machine-to-machine transactions as well, such as identifying providers involved in "post-exchange" continuity of care. Keith Boone suggested that we use the terms "service discovery directory" and "provider discovery directory" to more appropriately describe how technology works today. Abby Sears described the need for provider directory functions, however defined, to be embedded within EHRs to make them useful to end-users.
  

• There are many well-developed directories out there already, so whatever we recommend needs to provide help to enable approaches that have barriers to moving forward while at the same time not stifling forward progress for approaches that are moving ahead. JP Little noted that a number of national directories already exist today, with some degree of interoperability. Charles Kennedy noted that there are is a lot of administrative infrastructure in the market already today, but very little clinical, so we should be thinking of ways to leverage the administrative infrastructure to lower the cost of developing and maintaining clinical infrastructure. Syd Thornton offered that though InterMountain Healthcare maintains its own directory of external providers, they would be interested consuming it from a higher-level aggregator that might offer better economies of scale. Robb Chapman described how the CDC leverages medical registration data from the Federation of State Medical Boards for its Physician Registry Project, but Martin Laventure noted that public health directories are not dynamically linked with any outside systems so updating them is difficult. Karen Trudel described that there are no "one-and-done" solutions in the market today, and even large, nationwide directories such as the NPI and PECOS have significant limitations with respect to the clinical exchange transactions being contemplated today.
  

• Directories are the means for performing value-generating business functions, they are not the end. Tom Morrison said it most clearly when he stated that "data is a by-product of a business process." Sorin Davis recommended provider accountability for entering and maintaining their data. Anita Sarnoff noted that Axolotl recommended NOT having providers be responsible for maintaining their data and leveraging existing accreditation and credentialing information instead. Linda Syth described that it cost $3M to create the provider registry used by the Wisconsin Medical Society, and about $700K per year to maintain it. Carladenise Edwards recommended mandating the use of specified provider directories to better support their sustainability. Putting all of these together suggests that we need to create or leverage directories that enable services that providers have high interest in consuming so that they themselves will feel the need to assure that their information is timely and complete.
  

• If we do nothing else, creating a framework and taxonomy for key concepts would be helpful in and of itself. Greg Debor noted that though we refer to "provider" directories, there are other health care participants (such as public health and health plans) that would be important to future value. Hunt Blair pointed to the need for a common ontology of terms such as "provider", "practice", "entity", etc.

• As states move to implementation of their HIE Strategic and Operational Plans, there is an urgent need for some type of guidance or coordination to capture any possible synergies across these efforts and to ensure future interoperability. Goerge Oestreich noted that the pressing need for immediate solutions limited how much central orchestration could be expected and suggested that the focus should therefore be on developing standard interfaces and data formats to support a federated architecture which would allow states and private actors to continue with their own development but with some level of alignment. Steve Waldren cautioned against "over-designing" too early to remain flexible to the many changes that technology change and health reform might bring. Jeff Barnett recommended the need for standards to be able to uniquely identify individuals and organizations. While there seemed to be a general consensus that "a federated approach" was preferable to any other, we did not have enough time today to define the parameters of federation in this context and what requirements would be needed to make it feasible.
  

• There seemed to be rough consensus that while both were important, the "routing directory" should be a priority. Dan Nigrin noted that they know who they need to send information to, but they often don't know how.
  

These are just some of the many thoughts that emerged from our hearing today. There are more comments posted on the FACA Blog, and additional comments will be collected through October 4.

What's in a name?

So what's in a name? The full quote of course is: "What's in a name. That which we call a rose by any other name would smell as sweet."

On September 28, the Office of the National Coordinator awarded the New Hampshire Regional Extension Center to the Massachusetts eHealth Collaborative. Is it odd that an organization with Massachusetts in our name is running the New Hampshire Regional Extension Center? I suppose so, on the face of it, but the reality is that we provide professional services in many states outside of Massachusetts. For example, we're already doing work with the regional extension centers in New York and Rhode Island, as well as Massachusetts. And we're currently working on a project with New Hampshire stakeholders on their Health Information Exchange Strategic and Operational Plan.

All companies have to be based somewhere, and we happen to based in Massachusetts. Granted, most companies don't have their home state in their name. That is a reflection of our non-profit, collaborative roots. We were founded in 2004 by 34 non-profit Massachusetts-based health care organizations. Our mission then and now is to improve the quality, safety, efficiency, and affordability of care through effective adoption of health information technology. Since our founding we've developed a national reputation for being operationally effective, mission-oriented, and consensus-driven.

We have the name collaborative because we work as partners -- we share what we've learned, and we look to learn more things that we can share. We try to develop deep ties with each new engagement, and we could not have gotten this federal award without the endorsement and backing of the State of New Hampshire -- we're grateful for the confidence they've shown in us.

My father is a family physician and surgeon who has practiced his entire career from his office in Pelham, New Hampshire. We're based in the Massachusetts Medical Society, which reflects our strong affiliation with clinicians -- we have deep ties to the physician community and we make it our business to understand the needs of physician practices.

We feel genuinely privileged to have the opportunity to help the clinicians of New Hampshire achieve their meaningful use objectives, and we look forward to deepening the ties that we already have with health care stakeholders across the Granite State. If you're a priority primary care provider in New Hampshire, we're going to be looking for you!

Guy with a good voice......and A LOT of time on his hands

For those who haven't seen it, Ross Martin's video "An Interoperetta in in Three Acts" is amusing (see below). Though I've got to say, if I had that kind of musical talent, I definitely would not be singing about health IT.....

NCVHS Meaningful Use

Thanks to John Halamka for featuring my NCVHS testimony on his blog! For those who aren't tracking this closely, all of the testimony is now posted on the NCVHS website. The transcript of the first day's testimony is also posted, which is long but a little easier to follow and also includes Q&A from the panel. There's a wide array of perspectives here, and who knows how it's going to be used to shape the definition of "meaningful use". As I describe in my testimony, I don't think there are as many degrees of freedom here than we might think, because there's not enough money or infrastructure to support a very high bar on meaningful use. I hope I'm wrong.

MAeHC launches subsidiary

Today we're announcing the launching of MAeHC Professional Services Corporation (PSC), a for-profit, wholly owned subsidiary of the Massachusetts eHealth Collaborative. Our press release is here. PSC will provide a broad range of fee-based consulting services related to EHR deployment, health information exchange, and quality data warehousing. PSC will provide these services—including strategic planning, project management, and project execution services—to both nonprofit and for-profit clients throughout the United States who are involved in a variety of health IT activities.

Today's Boston Globe gave our launch some nice coverage (New eHealth subsidiary will fund expansion), and we greatly appreciate their interest in the story. One thing from the story that I'd like to clear up is that it suggests that we don't work with so-called "web-based" applications such as athenahealth. In fact, both MAeHC and MAeHC-PSC are vendor- and platform-agnostic, and we ourselves have deployed both web-based and client/server-based applications. And, of course, we're happy to work with athenahealth.....

Darn, I'm a breach victim......

I just got the following email.

Important Message from Pentagon Federal Credit Union
Ref. Card Number
Ending In: XXXX

Dear Member,
Visa Fraud Control has recently notified us that your Pentagon Federal Credit Union Visa credit card account number, name, expiration date, and CVV (a three-digit verification value on the magnetic stripe of the plastic) may have been compromised in a processor level breach at Heartland Payment Systems, Inc. Heartland Payment Systems, Inc. is one of the nation's largest payment processors delivering credit/debit/prepaid card processing, payroll, check management and payments solutions. Heartland has dedicated a website, www.2008breach.com to provide additional information on the breach.

Information pertaining to your other Pentagon Federal Credit Union account(s) has not been associated with this event or compromised in any way. The compromise did not occur at Pentagon Federal Credit Union nor did it involve any of our systems. All of your Pentagon Federal Credit Union account information remains absolutely secure.

We continue to take all necessary precautions to safeguard and monitor your Pentagon Federal Credit Union accounts to protect against unauthorized activity. We have provided a series of frequently asked questions below that provide additional details and tips.

Please review them and if you would like to receive a new card with a new account number, please use the instructions provided below. You may reach us toll free at 800-247-5626 or online at PenFed.org.

If you have recently closed the referenced card, please disregard this correspondence. We apologize for any inconvenience this may cause. We appreciate the continued trust you have placed in Pentagon Federal Credit Union. Thank you for remaining a valued member.

Sincerely,
Vincent Gay
Director, Security
Pentagon Federal Credit Union

In this simple email we see the complexity of breach notification. Let me say for the record that I love PFCU -- I've been a member of PFCU for many years and will continue to be for many more.

On the negative side of this notification is the ambiguity. My information "may have been compromised" -- not sure if it actually was, so I'm not sure what the actual risk is. They're fulfilling a legal and/or ethical obligation to tell me the nature of the breach, but are they really helping me by telling me that it's a "processor level breach", without further explanation? And how am I as a consumer supposed to assess my level of exposure? Does this mean that there was an actual intrusion of Heartland's environment, or that they discovered a security hole that could have been entered without their knowledge but they really have no idea whether it was.

On the positive side, I'm alerted, so I myself can keep my eyes open for suspicious activity.

This notification was for a relatively simple incident in a disciplined corporate setting, and it still raises more questions than it answers. Makes me wonder about how we're going to strike the right balance as we move to stricter breach notification regimes in health care.....

Grassroots

Farzad Mostashari and I wrote a short white paper urging a more direct link between Federal HIT incentive funds and regional HIT extension centers (Farzad deserves the lion's share of credit for taking this idea and running with it). Pretty straight-forward idea, really -- rather than just handing out $18 billion in cash to providers, funnel those funds through an infrastructure that will protect the government's investment by ensuring that adoption happens efficiently, effectively, and with public benefit in mind. You'd think this would be a no-brainer after our recent experience with the $350 billion bank give-away, but so far, the concept hasn't made it's way into the stimulus package.

The letter has gotten almost 60 signatures from individuals and groups across 26 states, including some prominent national organizations such as the eHealth Initiative, NCQA, National Partnership for Women & Families, and Pacific Business Group on Health. It's also gotten a fair amount of attention. It was featured on iHealthBeat, John Halamka wrote about it in his blog, and it was also picked up by the New York Times. Thanks to everyone who co-signed it......hopefully somebody up there is listening!

How the other half lives

It's good every once in awhile to rise above the surface of the health care market and see how the real economy does things. Today the Times had an article about the barriers to adoption of near field communication (NFC) technology, which would allow you to swipe your phone over a reader to make credit card transactions. The technology is already in use today in Japan and in the UK, but it's facing many obstacles in the US market.

As described in the article, the issue is not technology. By 2012, most phones are expected to have the technology built-in, yet the availability of the "wave-and-pay" function could take much longer. As an industry expert explained:

For that to happen, all the players will have to work together to define standards, determine revenue-sharing, expand the network of electronic readers and think through the other parts of what he calls "this 2,000-piece puzzle."

The expectation is that a trade association, the NFC Forum, which represents 150 stakeholders in this field, will forge the way to a solution. Yet, the same industry expert warns:

...it is completely possible that nothing will happen in mobile phones in the next five years if everybody keeps thinking only about their own piece of puzzle.

I have no doubt that they're going to figure this out and we'll be waving our phones all over the place relatively soon. Reflecting on the somewhat similar dilemma we face with respect to healthcare IT, I'm struck by two big differences that make health care harder.

First, we'd be lucky if we had only 150 stakeholders. Part of our dilemma in healthcare IT is that the demand- and supply-sides of the industry aren't just fragmented, they're atomized. On the demand-side, there are over 1000 health insurers in the US, and on the supply-side, almost 8,000 hospitals and 170,000 office-based physician practices. HITSP and CCHIT have done a nice job bringing together the technology suppliers (in the latter case, probably too good a job....), but they're only addressing the technical side of this issue. NeHC is supposed to be a forum to forge consensus on market-blocking issues, but they're a top-down creation of the federal government, not the result of the burgeoning demands of underlying grassroots contituencies.

Second, the benefits of health IT aren't as crisp and clear as easier credit card transactions, so our customers (ie, patients) aren't exactly clamboring for what health IT has to offer. Most of us use credit cards very often (all right, probably too often), so little tiny convenience benefits accrue in an obvious way. Most of us don't use the health care system that often, however, so the convenience factor isn't all that meaningful to a lot of us, and so the appeal has to be on less immediate benefits (safety, quality, etc) that are harder to grasp (and believe).

Like the "wave and pay" issue, the obstacle in health care IT is decidedly not the technology. If we can't get "wave and pay" into the market by 2012, what hope do we have of achieving the President's goal of universal EHR adoption by 2014? It's clearly going to take a much larger "forcing function" than the health care market will be able to muster on its own. The Congress' watered down version of the President's health IT vision clearly isn't going to provide that "forcing function", however, so it looks like we're going to have to place our hopes on health care reform.