The North Carolina Healthcare Information and Communications Alliance (NCHICA) published a very in-depth whitepaper (pdf) on the privacy and security implications of Meaningful Use for healthcare providers.  Some of the key points of the paper include:

Recommendations for Health Care Providers:  Achieving Privacy and Security Compliance in Meaningful Use Criteria

1. Review existing governance of privacy and security programs.
2. Implement effective security governance processes.
3. Include privacy and security as primary components of the organization’s strategic planning process.
4. Enhance internal controls for compliance with privacy and security requirements (HIPAA and other federal and state regulations).
5. Conduct regular evaluations and audits of compliance with HIPAA and new requirements included in HITECH (e.g., breach notification, accounting of disclosures, sale of PHI for marketing and fundraising).  Understand the gaps and prioritize improvement efforts.
6. Develop an ongoing and documented process for evaluating the privacy and security programs.  This is not a one-time process, but rather a regular recurring assessment to consider changes in the environment and regulatory requirements.
7. Include privacy and security risk assessment in the enterprise-wide risk assessment and management (EWRA) processes.
8. Develop new and enhanced training programs in privacy and security for management, board, staff, and all those considered to be part of the organization’s workforce (e.g., medical students, residents, fellows, volunteers, contractors, etc.).

Key points from above are on-going risk assessments, on-going process for evaluating your privacy and security programs and on-going training of your staff.  Unfortunately this is not a one-time and done process but rather a reoccurring process that keeping integrating privacy and security deeper and deeper into every aspect of your practice.

The paper goes on to discuss the importance of the Privacy and Security Officers.

Privacy and Security Officers need clearly defined roles and responsibilities.  They should be viewed as key participants in the provider’s governance processes, with regular, ongoing reporting of privacy and security program progress and issues to senior leaders and the Board.

The roles and responsibilities of Privacy and Security Officers should be clearly delineated and serve as a check/balance to protect the organization against possible privacy and security issues that can increase risk and jeopardize the AMC missions related to patient care, research, and education.

I found their phased approach to privacy and security very interesting.  I tend to agree with the phased approach much like learning to walk before running.  Each iteration drives privacy and security deeper and further into an organization.

The American Medical Association (AMA) along with 95 other physician organizations and associations (including including state, education and medical societies) have written a letter to the Centers for Medicare & Medicaid Service (CMS) with their comments regarding meaningful use and the EHR incentive program.  The 37 page letter outlines where the organizations agree and disagree with the proposed definition of meaningful use and it’s direct correlation to the EHR incentive payments.  To summarize the entire letter would be a lengthy process so I will pick out sections that caught my eye.

The overall message to CMS was that the proposed meaningful use requirements to achieve the initial stimulus payments are too aggressive and the cost to achieve them will deter physicians from participating in the EHR incentive program.

Physicians are deeply supportive of and committed to incorporating well-developed EHRs into their practices to improve quality of care delivery, enhance patient safety, as well as support practice efficiencies. To facilitate this transition, we want to ensure that there is widespread adoption and meaningful use of EHRs by physicians. We do, however, feel strongly that the Stage 1 criteria proposed by CMS for achieving meaningful use of EHRs is too aggressive and if adopted, will deter many physicians from participating in the Medicare and Medicaid incentive programs. This runs counter to the intent of ARRA, which clearly indicated that demonstrating meaningful use should progress over time.

The organizations are concerned about the impact on smaller physician groups.  They also are concerned with the high failure rates of EHR adoption.

The vast majority of physicians practices are comprised of five or fewer physicians.  Encouraging physician adoption of health IT, especially small physician practices, is critical to ensuring widespread EHR use. Studies of EHR adoption clearly show that it takes more time for smaller practices to adopt and implement EHRs because they have fewer resources and support. Aggressive timelines and criteria during the initial stage of the incentive program will only serve to undermine this effort. Some government officials have relayed that complex measures and high reporting thresholds are needed to discourage EPs from switching back to the use of paper during this transition to EHRs.  We are very troubled by this assertion. Physicians are deeply supportive of and  committed to incorporating well-developed EHRs into their practices to improve quality of care delivery, enhance patient safety, as well as support practice efficiencies. It is also very unlikely that after physicians make a significant up front investment in health IT and changes to their workflow that they will revert back to manual processes. We believe that the larger concern should be deterring the purchasing of costly EHR products that fail to improve physician workflow, patient care, and practice needs. Industry experts have cited that such failures have adversely affected EHR adoption rates ranging from 50 to 80 percent.

The letter goes on to suggest that the requirements for Stage 1 meaningful use should be spilt over the first two years.

We strongly agree with CMS’ proposal for establishing a staged approach to achieving “meaningful use” of EHRs. In this way, eligible professionals (EPs) are provided a predictable pathway, enabling them to plan, including consideration of practice workflow changes, and to engage in critical discussions with EHR vendors regarding functionalities. To support this, we strongly recommend that the focus of Stage 1 for the health IT functionality measures be on data entry (e.g., problem list, medication list) and structured data (e.g., enable EHR functionality for drug-drug, drug-allergy, drug 4 formulary checks). If achieved consistently and accurately, a more seamless use and reporting of quality measures will result. Therefore, we believe Stage 1 should be redefined and the proposed criteria should be segmented into two years to provide more flexibility on functionality measures and selection/awareness of quality measures

The letter addresses each of the 25 meaningful use objectives and describes where the organizations agree and disagree with the proposed objectives.  In my opinion it seems that the message to CMS is that they support the objectives but would like to see Stage 1 objectives scaled back.  The big push should be to get providers to implement EHRs and start using them, without strict requirements, to achieve the stimulus payments.  The organizations recognize that it is costly to implement EHRs and use them in meaningful ways.  It is costly to interface them with other systems including lab results, insurance providers, other EHRs.  And it is costly to support the new technology that is required.  Physician practices need to believe that the meaningful use objectives are realistic and that they are able to meet them.  Furthermore, they need to feel that they will be able to obtain the stimulus incentives to offset the costs of EHR adoption.  I feel the letter correctly addresses a lot of the issues that physician practices, both small and large, will face as they begin implementing EHRs.  It will be interesting to see what CMS does with the organizations’ recommendations.

The letter can be found on the AMA website.

I get to have a lot of conversations with physicians, practice administrators and operations staff.  From a high level view it seems like most practices are at a stand still regarding new projects, EMR implementations, EMR conversions, and basically anything else but the status quo.  It is almost like practices are frozen like deer in the headlights.

When you take a step back and look at all the factors it is no wonder this situation exists.  Here are some themes, quotes, and thoughts that I have heard over the past few months.

We are not sure how the proposed cut in Medicare reimbursements of 21% is going to affect our revenue.

Reimbursements from private insurers have slowed down significantly and it is hurting our cash flow.

We are seeing a significant drop in patients and we believe it is recession related.

We have no confidence that we will see any money from the stimulus bill.  There is no definition of what meaningful use is or what a certified EMR is.

How can you do anything if you don’t know what the healthcare reform is going to look like or if it is even going to be passed?

We want to implement a new EMR but our data is locked in our old EMR.  There doesn’t seem to be any tools of getting the data out.

When you put it altogether you get a sense of uncertainty.  The political, economic and technology environments are covered in uncertainty.  Is it any wonder why medical practices are frozen like deer in the headlights?  I would love to hear about your practice, your concerns, and steps you are taking to address the uncertainty.