HCFA’s Memo Poses Many Questions
A HCFA BULLETIN ISSUED LAST FALL REMINDING Medicare HMOs to avoid using the Internet to transmit Medicare beneficiary data has raised questions among healthcare executives--and few, if any, are getting answers.
The directive stated that in light of provisions set forth under the Privacy Act, HCFA information systems security officers determined that acceptable encryption mechanisms are not yet available for Internet use to insure an acceptable level of privacy. Therefore, the memo continued, "activities using the Internet or an unsecured internal network where the plan provides individual information must cease immediately."
The CIO of one Dallas-based HMO, who asked not to be identified, claims to have received a copy of the Region II (NY office) memo via e-mail from another source. After passing it around the office, it raised quite a high level of concern among the health plan’s executives. Looking for answers, the CIO ran into a brick wall at the memo’s source. "I’ve queried HCFA personally and can’t get an answer." The CIO wanted to find out exactly what kind of Internet activity is permissible, and what the implications are for those who do not comply. "We haven’t put anything on the Internet yet, but we have been seriously looking at that technology to complement our claims processing and IT structure," the CIO says. "We are just kind of proceeding now, hoping [the directive] will go away."
A former HCFA insider, who logged 18 years with the agency and is now vice president for government programs and relations for an HMO in the Northeast, says she wanted to know why this "national policy" came from the regional offices. She, too, had only seen the memo from the New York office, and was concerned to learn that a number of HMO executives within her organization and nationwide claimed not to have seen the memo. After researching the issue for two months without a response from HCFA’s regional or national office, she gave up.
HCFA spokesperson Jennifer Douglas of the New York office maintains that there is no mystery surrounding the memo. It was issued from the regional offices, she explains, and it is "a national [HCFA] policy that information covered by the Privacy Act cannot be sent via the Internet." Furthermore, the policy is not new, just a restatement of a policy that was enacted a few years ago. Then why the difficulty getting answers to questions? A full policy directive should "be coming out very soon" from the national office, explains Douglas, but until then, it is "typically inappropriate for an agency to comment on policy when it is in draft form."
Douglas said she could not comment on the sanctions that could be imposed on non-compliant HMOs, but reiterated that "there is a ban in effect on using the Internet for Medicare-related activities." Craig Schneider, a spokesperson for the Boston regional office of HCFA also stated that to the best of his knowledge, all regional offices sent their Medicare HMOs a version of the memo early last fall and added that his office had fielded "no significant number of complaints" regarding the bulletin.
Pamela Vaupel Shuckman is a healthcare technology writer in Springfield, Va.
Davies Honors Two Organizations, One Vendor
KAISER PERMANENTE NORTHWEST in Portland, Ore., and Northwestern Memorial Hospital in Chicago were recently honored by the Computer-based Patient Record Institute (CPRI) for implementing successful CPRs. However, this year’s Nicholas E. Davies Award for Excellence has a peculiar twist.
For the first time, both Davies award winners implemented a CPR from the same vendor: Epic Systems in Madison, Wis. The 1998 Davies recipients are somewhat removed from many previous winners, including the Department of Veterans Affairs, Kaiser Permanente of Ohio in Cleveland and Regenstreif Institute for Health Care/Indiana University Medical Center in Indianapolis who won the award for their in-house developed CPRs.
Pure happenstance, Ned Simpson, CIO at St. Joseph Mercy Health Network in Ann Arbor, Mich. says of the coincidental selection. The award does not necessarily acknowledge a CPR’s technology, but rather the impact a CPR system has on the way healthcare is delivered, he says. "We identify if the organization has accomplished what they set out to accomplish." According to Simpson, who also is chair of the Davies recognition program organizing commitee, Davies panelists were impressed with both organizations’ relative ease and efficiency installing the CPRs.
Northwestern Memorial Hospital
Northwestern’s CPR began as a research project partially funded by the National Library of Medicine in February 1996, to identify information tools ambulatory care physicians need to make their jobs more efficient. Studies conducted by a group of clinicians revealed that most of their colleagues were not computer proficient, and only a handful even had computers in their homes.
With information about care processes and current physician access to clinical data, Northwestern began a deliberate procedure of implementing a CPR at two ambulatory care sites. The first task was simply putting a workstation on the clinicians’ desks. "We wanted to take them through the cultural process of getting to know a computer as an information and communication tool," says Paul Tang, medical director of information systems at Northwestern Memorial Hospital.
One year, hours of extensive training and pop quizzes, and a dress rehearsal later, Northwestern introduced the EpicCare CPR to about half of the physicians at each site. "The go-live was actually boring," Tang says. "Our time spent in training really paid off."