Meaningful Use attestation began on April 18, which means that there is now some field experience on how to meet Meaningful Use Stage 1 requirements. I polled my staff to see what we’ve learned through the process. Which requirements seem to be the hardest? What are the best ways to meet those requirements?
The findings, though obviously not statistically meaningful in any way, were quite interesting and instructive (well, interesting at least to that perverse sliver of humanity who find health IT and Meaningful Use interesting enough to write and read about it).
Looking at the Core Requirements, the most difficult requirements seem to be (in order of difficulty):
Capability to exchange key clinical information. The biggest difficulty with this objective seems to be figuring out what the heck it means. What are “different legal entities?” What are “distinct certified EHR technologies?” What is “key clinical information?” What does it mean to “electronically exchange” key clinical information?
There are some answers available at CMS, but health care delivery is too complex, and the FAQs a tad too vague, to be really useful in many if not most circumstances.
One large source of confusion with this requirement is whether it requires some kind of connection to a Health Information Exchange. The answer is a resounding NO. Indeed, meeting the requirement doesn’t seem to require an electronic connection to another practice at all. All it requires is that a valid clinical summary CCD/c32 be generated from one certified system, and that an attempt be made to upload it into another distinct certified system.
Thus it would be perfectly acceptable to create the file using your certified EHR system, encrypt it (using a cheap and easily available commercial utility like WinZip, for example), pass the file to another practice on a CD or a thumb drive or even using commercial e-mail (like Gmail or Yahoo), and ask them to try to upload it into their system.
Doesn’t have to be through an organized HIE activity. Doesn’t have to be structured data. Doesn’t have to be transported electronically, since ONC somehow decided not to create any standards for that. Doesn’t even have to be successfully uploaded by the receiving practice! It’s like testing my high school son’s ability to show up for the SAT exam on time and with a number 2 pencil, rather than his ability to actually answer the questions on the test. (He’d be thrilled!)
If you are part of an organized HIE activity (like the New England Health Exchange Network, for example), you can transport your test file electronically. And some EHR vendors are helping their customers meet this requirement by matching up different customers with each other and facilitating transport through their own proprietary exchange infrastructure.
For example, eClinicalWorks, Medent, and Epic provide this service to their customers. But if you don’t happen to have such options, you can go just do it the old-fashioned way described above, and maybe even make it a little fun. “Hey Dr. Jayne, bring your flash drive on Wednesday morning and we’ll take care of MU before our tee time.”
Protect Health Information. This objective requires that the practice implement “appropriate technical capabilities” to protect health information and validate that they have done so by “conducting or reviewing a security risk analysis” of their internal capabilities. We’ve found that most providers generally know what the privacy and security rules are, but they’re shockingly unfamiliar with the details and they probably don’t know the severity of the punishments for violating such rules. Obviously, knowing the penalties should make people focus on the rules, but no one thinks it’s going to happen to them, so they put it on the back burner, if it’s on the stove at all.
You don’t have to be Sony to get seriously whacked by the long arm of the law. If you have some kind of breach and are determined by federal authorities to be “cavalier” toward protection of health information, for example, you could face a $250K fine, and up to $1.5M if you seem to be repeatedly “cavalier.” If you lose track of information on over 500 individuals (by having a laptop stolen, for example), you could be required to issue a press release to media outlets in your area and have your practice name listed on a federal Web site, in addition to any fines you might face.
And that’s just the federal requirements. Some states, like my own state of Massachusetts, have equally strict laws that correlate with, but don’t exactly match, federal rules.
This requirement is deceptive because it leads one to believe that protecting health information is just a technical issue, when any privacy/security professional would say that it’s mostly policy, procedure, and attitude. Because this requirement is so vague and so focused on technical capabilities, there is a risk that an EP merely checking the box on this one could be lulled into thinking that they’ve adequately addressed federal and state privacy and security rules when they might not even be close.
The best way to address this requirement is to hire a well-respected third party security audit firm. If you don’t know where to find one of those, your hospital or a large practice in your area would almost certainly be able to point in the right direction. Your IT vendor may say that they can provide this service, but be careful — some will only focus on technical issues like firewalls and will give scant attention or completely ignore the policies and training that you and your staff need to really meet the letter and the spirit of the law.
And in no circumstance should you rely on your EHR vendor for this. They’ll be highly unlikely to have the holistic view of your operations necessary to protecting you and your patients. And as much as it hurts, it might be worth paying you lawyer for a short chat about your legal exposure in this brave new world.
Provide patients with an electronic copy of their health information, and Provide clinical summaries for patients for each office visit. I lumped two objectives together here because both of them involve providing information to patients, which makes them incredibly important because they are customer-facing and directly embedded in day-to-day and visit-to-visit workflow.
The general difficulties practices have with these requirements are: What information am I supposed to provide? Do I really have to provide in any way that they want? And how long do I have to provide it?
In terms of what to provide, the requirement itself is a long list that seems fairly innocuous on the face of it, but has a few undefined oddities, like “recommended patient decision aids.” The harder part is that the EHR certification requirements don’t match exactly with what’s supposed to be included in the patient information, so any hope of automating this process in your office could get seriously bollixed up (a technical term) if the information you’re supposed to give to patients isn’t what the software spits out.
The other barrier we’ve experienced is that, as much love as we have for patients, they aren’t always as well behaved as we might like. So terms that say “per patient preference” can start to get complicated if it means that some patients want it on paper, others ask for it in a patient portal, others want it in their PHR, still others want it on a CD, and the rest want it on a thumb drive (the latter being patient-provided and possibly virus-laden and unencrypted, of course). And that just covers the reasonable options.
The reality so far is that the electronic information requirement is manageable because few patients are requesting the information and, I suspect, few providers are pushing it. The clinical summary information is a little easier because most EHRs do create some kind of post-visit summary, which is maybe probably mostly hopefully compliant with what the objective requires … or close enough for government work, anyway.
All of this isn’t to suggest that the other requirements are a walk in the rose garden (quality measures, for example, are like a whole new set of requirements). These are just the ones that we’ve found particularly troubling for those pioneering physicians who are attesting now.
I haven’t yet talked about the Menu set, which is a minefield onto itself. And whether meeting all these requirements is actually getting us to a world of better and more affordable health care is an even bigger issue that I won’t even try to tackle here. Gotta save something for future entries …
Micky Tripathi is president and CEO of the Massachusetts eHealth Collaborative. The views expressed are his own.