Skip to content Skip to navigation

Ignorance Is Not An Option

November 5, 2010
by Joe Bormel
| Reprints
Invest The Time To Attend, Learn, and Improve

I just attended another conference, “Achieving Meaningful Use Criteria with Electronic Health Record Technology.” The conference co-chairs, David McCallie and Brad Tritle, did a great job of assembling and facilitating a wide range of expertise. The two big special focus topics were the perspectives from the HIEs and the RECs. These kinds of conferences have a wonderful trait of highlighting issues that otherwise may be invisible.

Here are a Few Highlights:
There was a pre-conference workshop by Peter Waegemann who provided an extensive review of mobile devices and what this might mean for healthcare. He pointed out that there has been explosive growth to more than four billion mobile subscribers worldwide. This mobile device volume dwarves the number of people using PCs. The massive increase in communication and connectivity options will impact healthcare.

He suggested that in the future you won’t be prescribed a treatment or a medication, you’ll be prescribed an application for your Smartphone that will help you manage your treatment, medication, etc. Think about the “ patient activation” component of Accountable Care Organizations. Think about communicating with your patient-centric medical home with interfaces more powerful than simple, secure e-mail, text messaging, and twitter. Interesting!

Jeff Hinson, the regional CMS administrator, described how MU moves us beyond paying claims and more toward the triple goal: improving quality, reducing wasteful spending, and improving access. He was truly excited about the agency’s evolution of focus.

There was a lot of emphasis on physician readiness from several perspectives: EMR, HIE, and REC support. Steve Waldren, MD, MS of AAFP talked about the challenges primary care docs have with MU. He shared that 60 percent of family practice physicians have some degree of EMRs, as compared with 10 to 20 percent, in general, of docs in small group practice.

They all must have a foothold in two worlds:
1. Dealing with a transition from volume-based care payment to value-based care payment
2. Health plans directed to consumer-based models
3. Claims-based to quality-based retrospective reporting

Achieving Meaningful Use? For most, it largely reduces to:
1. E-prescribing
2. Patient registries
3. Patient portals

Laura Kolkman, the president and founder of Mosaica Partners, was one of the presenters, as well as a moderator on the topic of HIEs. She has a HIMSS guidebook coming out in January titled, "The Health Information Exchange Formation Guide: An Authoritative Guide to Planning and Forming an HIE in your State, Region, or Community."

During her presentation, Laura walked through and detailed a five-stage HIE maturity model (see graphic at top of this article). It began with stakeholder engagement and participation. Perhaps surprisingly, multiple speakers referenced HIE initiatives that tried to launch in stealth mode, not necessarily deliberately, with unintended consequences including a lack of adoption, backlash, or both. The other stages are governance, business, privacy, and technology/security, but the end-goal is still a sustainable HIE. Laura reviewed over a half dozen required attributes, only one of which was solvency. There isn’t a set of proven paths to sustainability; however, the key work is pretty clear. My description does not do justice to the model and thinking that Mosaica has developed and shared. I plan to buy the book!




Thanks for your comment, your kind words, and your candor.

Regarding your first question, private HIEs address a significant business need. It allows providers who are cooperating to share information more effectively than they do today. If they are "Accountable", then they'll need the improved information exchange to drive down unnecessary utilization and, in doing so, earn the shared savings. Does that leave out the state-HIEs? Are private HIE's in conflict with or destabilizing to efforts to build broader, inclusive networks? That's not clear. It's also certainly going to vary by locations.

Regarding your security concerns, well, they're valid. One key new concept for me was that there have been breaches of security in the past. The only defensible policy is to mandate encryption. It's not clear to the experts that I rely on that we have agreed upon encryption standards for HIEs. I know that the technology is available.

I would welcome comments from other readers regarding the state of security standards for HIEs.

Thanks again for your comment.

Rich, Thanks for sharing your insights.

I've received praise from the conference co-chairs for keeping the tone positive in my comments. That said, several speakers made some comments very resonant to yours. Dan Schipfer, a general manager at a leading supplier of HCIT software and services said we need an FDIC-type mechanism. To your point, people need to know the rules, remedies, remediation and irreducible risks associated with security of health information. Multiple attendees nodded their heads affirmatively to that.

The observation that most providers will need to maintain more than one HIE relationship is interesting. I don't think that's widely discussed. Should that strike me as violating some basic unexamined notion that I have that there should only need to be one trusted source (in the HIE space)?

Lastly, thanks Rich for bringing up the breech topic. One presenter said since some degree of breech is inevitable, strong encryption as a standard (for data in motion) is the only acceptable policy. A pretty obvious conclusion, but again, we're living in the Wild West days.

Dr. Bormel,
The title of this post grabbed me by the shoulders and shook me! Your closing comments could not be more on target. I am one of those guilty of foregoing meaningful conferences with no valid reasons for doing so. Ignorance in our industry really is inexcusable.

This blog also raised a couple of very perplexing questions I'd like for you to address. The first being, can you explain the validity of private HIEs and whether their scope can possibly be beneficial in terms of the numbers of users they may attempt to serve? I'm quite skeptical of them.

Second, why is our industry forging ahead with these HIE projects knowing full well that their security is clearly marginal at best? I find this cavalier attitude toward securing patient information to be unacceptable at best, and criminal, at least in an ethical sense. Please explain how we can justify deliberately putting patients in harm's way for the sake of rushing to implement technology that is so grossly incapable of performing without substantial risk to those we claim to be serving. I find that when blunt security questions are posed to those in control of such projects, the answers they generally provide range from evasive to professionally offensive.

Thank you for the not-so-subtle push in the right direction. I intend to attend and participate.

Doc Benjamin

To some of the implications of Doc Benjamin's comments:

First, as stated, we're in the Wild West phase of HIEs. We've adopted national policy that the data will follow the patient, but we have not yet built the system of systems to do that. Work is in process. In the short term, most providers will be facing a need to develop and maintain electronic communications capability with more than one HIE.

Second, marginal security is not something created by HIE capability. Security around paper records has been notoriously marginal forever. Perfect security is only possible theoretically, so we can't wait for it. We need to determine what is "reasonable" (e.g., the HIPAA policy of "addressable" depending on circumstances). We also cannot measure by security risk alone. The risk of doing harm to patients by security breaches must be measured against the harm done to patients by refusing to share data (because of security worries). Tough choices. I believe we need an evolutionary path through the middle ground: but then, I'm not necessarily the individual who will pay the price for breach of my security or die because available critical clinical data was not shared among my treating physicians.

Finally, the HHS Office for Civil rights has some interesting statistics on security. I'll point out that this is in the pre-HIE world whether HIEs will be in addition to or in lieu of these rates remains to be seen. HIPAA Security complaints are running between 90 — 150/year. Privacy complaints running 6,000 — 9,000. Security breaches this year involving more than 500 individuals are nearing 200. Security breaches this year involving fewer than 500 individuals are approaching 9,000. Again, looking at these as rates in a country of over 310 million people, that's neither low nor high risk, but there's not metric for 'harm done.' Looking at it if it happens to me, a very different perspective.

I think we're in the Wild West days of HIE for some time to come. There are too many unanswered questions and too many competing demands for the achievable solutions to be quick, easy or totally effective. We've got a lot of work to do on national policy, our culture of security around patient information, legal doctrine and technical solutions.

Some considerations:

We have no well established national privacy policy. Security priorities need to follow from privacy priorities, so without mature privacy policy we stay at Security 101 levels and cannot resolve some of the mechanics for integrating into meaningful HIE networks.
HIEs are immature: data exchange standards are in flux and organizations have not demonstrated sustainability. There will be successes and failures. Eventually we'll start seeing a landscape that defines privacy expectations in non-conflicting, non-ambiguous ways.


Joe Bormel

Healthcare IT Consutant

Joe Bormel