State legislation poses an added layer of challenges for CIOs in meeting privacy and security, patient consent, technology, and payment reform that go beyond federal mandates.
When it comes to health IT policy mandates, regulations and legislation, Meg Aranow may have different opinions depending on which hat she is wearing on any given day.
As vice president and chief information officer for 508-bed Boston Medical Center in Massachusetts, Aranow thinks she knows what is best for her organization and the right pace of change for her institution. “Your attitude tends to be, I am smart and well intentioned, so leave me alone.”
But as a member of the Massachusetts Health Information Technology Council, charged with overseeing implementation of statewide interoperable health records by Jan. 1, 2015, she sees things quite differently. “As a member of the council, I have a much greater appreciation for the role of policy and legislation to move groups of people at a faster pace.”
And in Massachusetts, legislation pre-dating the Health Information Technology for Economic and Clinical Health (HITECH) Act has serious consequences for non-complying providers. Chapter 305 of the 2008 legislative session the Massachusetts Legislature requires that hospitals and community health centers use interoperable computerized physician order entry (CPOE) systems by October 2012 as a condition of licensure. By 2015, physician licensure will be conditioned on demonstration of competency in CPOE, e-prescribing, and other forms of health IT, as determined by the Board of Registration in Medicine.
With so much media and consulting firm attention focused on federal efforts to promote health information technology adoption, the role of state legislation is often overlooked. But in many states, including California, Massachusetts, New York, and Minnesota, health IT incentives and mandates preceded the HITECH Act, and CIOs in those states must calibrate their efforts to respond to both meaningful use and state-level requirements, which can be especially tricky when it comes to privacy and security guidelines.
Traditionally, state privacy laws have been scattered rather than uniform, notes Helen Oscislawski, a Princeton, N.J., attorney who is a member of the New Jersey Health Information Technology Commission. State laws about privacy and security were written for a paper world and most haven't caught up yet, she adds. “For instance, here in New Jersey there have been laws that apply to licensed ambulatory care centers and different laws that apply to hospitals about consent for sharing data.”
Oscislawski says that the national push to share data outside the four walls of an institution is forcing state legislatures to make their own judgment calls on privacy and consent issues and legislators must weigh the practical impact of laws they pass.
“CIOs would like one simple set of rules,” she says, “but unfortunately they have to look at both federal and state rules and follow whichever is most stringent.”
Some CIOs say that tracking the combination of new federal and state rules is daunting. “There is a rainstorm of new regulations and incentives from Washington, some of them doing wonderful things, in HITECH and PPACA [Patient Protection and Affordable Care Act]” says Tina Buop, chief information officer for Muir Medical Group IPA, a multi-specialty IPA of more than 600 physicians in Walnut Creek, Calif. “But with so many requirements changing, it is a challenge to find them all and have them in one place. Add in state requirements, and it is incredibly difficult to keep up.”
Although she has served on the California Privacy and Security Advisory Board, Buop says she still has difficulty keeping up to date. In California, she has her eye on three pieces of legislation, two of which have been signed into law. AB 211 requires providers to implement specific safeguards to patient data security and SB 541 increases the fees across any breach and the disclosure reporting requirements. Covered entities in California may face both state and federal investigations in breaches affecting more than 500 records.
Not yet signed into law, SB 850 would require an electronic health or medical record system to automatically record and preserve any change or deletion of electronically stored medical information, and would require the record to include, among other things, the identity of the person who accessed and changed the medical information and the change that was made to the medical information.
“At Muir, we have tight change controls and a tracking system,” Buop says, “but what if a physician started to write a prescription and then realized it was for the wrong patient. As the hosting organization, would we have to automatically preserve the initial mistake, which may require additional archiving and cost physicians more? Every time the legislature passes something like this, there is a financial impact for hospitals and physicians.”
From a technical standpoint, she adds, rules that are uniform across the country are much easier for software vendors and for implementation teams to put in place.