It would be hard to dispute that the health IT industry is in the thick of an exciting journey that will transform the U.S. healthcare system. As we shift from a fee-for-service-based payment system to one that rewards value-based care, plenty of initiatives are on healthcare organizations’ plates, such as meaningful use, ICD-10, value-based purchasing, bundled payments, data privacy regulations, and accountable care organizations (ACOs).
These programs, efforts, and mandates all are part of the voyage to the “new” healthcare, one that began a few decades ago but was reinforced with President Obama’s Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009, which authorized tens of billions of dollars in federal subsidies to doctors and hospitals for the meaningful use of electronic health records (EHRs).
This whirl of activity at the federal level—paralleled by insurers’ efforts to support medical homes and ACOs—has motivated many provider organizations to actively prepare for the reimbursement changes that loom ahead. The new healthcare system is still taking shape, but it will clearly involve increased financial and clinical accountability. As such, a plethora of legislation and policy issues are now present—and will continue to emerge—for patient care organizations of all sizes. For this feature, Healthcare Informatics Associate Editor Rajiv Leventhal spoke with various health IT policy experts and leaders to get a gauge on how medical professionals are dealing with the snowball effect of federal mandates that are hitting the industry.
RAMPING UP SECURITY
In healthcare, access to data and information is so strongly demanded by patients, providers, payers and employees, that it is fast becoming a major area of data security risk. Unfortunately, unlike in many other industries, in healthcare, IT security has historically often fallen short as a top C-suite-level concern.
But according to Jeff Smith, senior director of federal affairs for the Ann Arbor, Mich.-based College of Healthcare Information Management Executives (CHIME), that is beginning to change. In February, the Commerce Department’s National Institute of Standards and Technology (NIST) released a final version of a voluntary framework for reducing cybersecurity risks to critical infrastructure, which includes the healthcare sector. Smith says that CIOs should understand how the framework aligns with or distracts from their current strategy.
CHIME’s president and CEO, Russell P. Branzell, adds that while the framework came out as voluntary, it will eventually become a standard by which patient care organizations will be judged. But Branzell says, “If we had to comply today as an industry, it would be pretty daunting for most of the organizations that we represent.” In trying to compare healthcare with banking and manufacturing, for example, “We’re simply not there yet,” he says.
Meanwhile, in Congress, while there are a few pieces of legislation being entertained in the House of Representatives and the Senate, Smith says he doesn’t anticipate anything getting signed in the near term. “But it’s indicative of where congressional eyes are looking. As far as healthcare, I think you will see more activity at the agency level, such as the Department of Homeland Security and the Department of Health and Human Services (HHS). I would expect that you will see more collaboration,” he says. Smith adds that with privacy and security policy, much of that does fall in privy of statehouses. “You have HIPAA [the Health Insurance Portability and Accountability Act] of course, but many states go deeper and wider than what HIPAA requires. It would make sense for state legislatures to think about how they would want to handle this.”
However, Smith explains that this will create a patchwork, like what we see right now in the industry. Taking patient consent as example, it’s easier to share information in some states compared to others, he says. “What’s important is that the awareness factor is definitely there, and I don’t see that retreating in the near future. People I talk to are cognizant of the fact that if the industry doesn’t step up and self regulate, they will have to deal with the government. That’s not necessarily the best option because of all of the complexities that come into play whenever you’re running a federal program and trying to manage data locally,” he says. “As you stand up and start digitizing healthcare, you have to be very cognizant of the fact that there are bad actors out there, so you to figure out what the proper role is for the government.”
Branzell himself is pushing for more consistency from different federal agencies. “The more assistance we get from the federal government, the more the industry as an aggregate whole can assist, and the better off we will be,” he says. “What’s concerning is that we may get this guidance from a few different places. You have the Office of Inspector General (OIG), the Office of the National Coordinator for Health Information Technology (ONC), and what you end up with are things that conflict with each other. We would love to see consistencies across all these agencies and legislation. That may be unrealistic given past trends, but if there was ever a time when healthcare needed more consistency out of the government, it would be now.”
Russell P. Branzell