The postings below have been edited due to spacing concerns. To read all of David Raths' blogs in their entirety, please visit /contributors/david-raths.
A New Business Model for Human Services
Posted on: 11.22.2009 9:56:14 AM
If you are a hospital CIO wondering how you are going to cope with the meaningful use matrix or the interoperability issues around joining a health information exchange, just remember that things could be worse. You could be the CIO of a state department of human services.
Because of how funding is channeled from the federal government to state health programs, these departments end up with huge computing headaches that can hamper their ability to communicate with each other or serve the public.
State human services departments and the federal government need to focus not just on the computing aspect, but on a common set of technology-neutral business practices, that lead to agency interoperability.
I recently saw an inspiring presentation by Rick Howard, CIO of the Oregon Department of Human Services, who is determined to make incremental changes to the infrastructure to provide a comprehensive view of the clients and populations that Oregon DHS serves.
Describing the current state of affairs, Howard noted that individual applications within the department grew up independently with dedicated funding from the federal government. So, for instance, applications for public health and child welfare are siloed, making it difficult to get data from one system to the next. Over the years, custom interfaces have been written, but that just makes changing anything a complex and expensive task.
In the current setup, only a limited amount of client information is accessible in a central location. The upshot is that there's little service coordination between agencies, which can frustrate employees and the stakeholders they serve.
Howard has an ambitious plan to shift to a more modern architecture over the next six years that involves a data warehouse and shared Web services. Among the goals would be to track common clients across multiple systems, integrate case management services and share common business processes.
But, he said, information technology won't solve any problems unless business practices also change. In fact, Howard argued that all state human services departments and the federal government need to focus not just on the computing aspect, but on a common set of technology-neutral business practices that lead to agency interoperability. Because what these state-level departments do is pretty similar in all 50 states, he believes the United States would benefit from the development of a national business architecture for health and human services. He said that such business blueprints for how these departments work should be “person-centric” and service-oriented, rather than program-centric as they are now. “That would allow for the creation of an IT infrastructure that supports improved outcomes,” he said, “by providing a comprehensive view of the clients and populations we serve.”
I was impressed by how much change management Howard is willing to take on. I was also struck by how his comments about changing business processes at the state level mirrored what so many others in IT in the provider space have told me: that technology will only take us so far if the underlying business processes and incentives remain broken.
Data Breach Rules: the ‘Octomom’ Example
Posted on: 11.13.2009 3:14:03 PM
Last fall, I wrote an item about the U.S. Department of Health and Human Services' new interim final rules on data breach notification. Something I heard during a panel at the recent World Healthcare Innovation and Technology Congress reminded me of why this is still a controversial issue.
To review, HHS has established a harm standard that a breach does not occur unless the access, use or disclosure poses “a significant risk of financial, reputational, or other harm to an individual.” In the event of a breach, HHS' rule requires HIPAA-covered entities to perform a risk assessment to determine if the harm standard is met. If they decide that the risk of harm to the individual is not significant, the health providers are not required to tell their patients that their health information was breached.
That may sound reasonable and fair. We don't want to put too great a reporting burden on covered entities. But in a presentation on privacy and security issues, Deven McGraw, who leads the Health Privacy Project at the Center for Democracy and Technology, mentioned the case of the data breach at Kaiser Permanente Bellflower Hospital in Los Angeles, where earlier this year, a California Department of Public Health investigation found that 23 employees at a number of Kaiser facilities with access to EMRs unlawfully breached the privacy of a patient who gave birth to octuplets.
In that case, many people lost their jobs and Kaiser was fined $250,000 under stringent new state laws that went into effect Jan. 1, 2009. But McGraw's point in mentioning this breach was that the people who accessed the records were Kaiser employees, so the type of internal investigation that HHS envisions may very well determine that there was no financial or reputational harm done in that case.
Yet I think most people would agree that if two dozen people who have no need to see your records are gawking at them, you deserve to be informed about it. You may not have George Clooney or Britney Spears staying at your hospital anytime soon. But if they do show up, do you have controls in place to protect against snooping into their electronic files by curious employees?