Pages

Thursday, February 27, 2014

MeaningfulUse 2015 Posts

It's only been five days and already I need a table of contents for my posts on Meaningful Use 2015.  If I need it, you might too:

  1. Predictions on the 2015 Certification Rule
    My predictions on what would be in the rule.  How did I do?
  2. Meaningful Use 2015 Certification Rule
    My initial observations about the 2015 Certification NPRM
  3. Postel's Principal, CDA and Meaningful Use
    In which I discuss the challenges to applying Postel's Principal to incorporation and reconciliation of CDA content into an EHR. 
  4. CCDA Versions and Meaningful Use 2015 Certification
    In which I ruminate on how to ensure compatibility between CEHRT certified under different regulations.  No solutions yet, just chewing the cud.
  5. ONC Meaningful Use Presentation
    Steve Posnack shared this presentation with attendees at an ONC Educational Event at HIMSS14 and he shared it with me so I could share it with you.
  6. Meaningful Use 2014 - 2015 Crosswalk
    This great crosswalk is supplied by Hans Buitendijk of Siemens to help you figure out what the differences are between the two rules.
  7. An HL7 Specification for Addressing Meaningful Use Driven Standards Ballots
    Some thoughts for how HL7 could address the ballot demand due to Meaningful Use Initiatives.
I'll try to keep this list up to date, but you can also find these and any additional posts using the mu2015 category on this blog.

MeaningfulUse 2014 - 2015 Crosswalk

In the spirit of industry cooperation which often accompanies new regulation, Hans Buitendijk, a standards colleague in HL7 by day (and my favored candidate for HL7 Chair), and a competitor at Seimens the rest of the time, has shared the following comparison of the 2014 Certification Criteria against the 2015 Criteria.

He notes:
  • It only compares 2014 FR with 2015 proposed amended language for part 170 starting page 205.
    • Various standards are referenced in the pre-amble (e.g., HQMF, UCUM, etc.) that are not in the proposed amended language.I did not attempt to include those as I have not delved into the pre-amble yet.
  • The text in red indicates variances that matter.
    • For example, splitting CPOE into three criteria or combining two ToC criteria into one and adding 4 transmit criteria does not turn everything red as there are chunks that really did not change. I think in the process I caught all, but I may still have missed something.


Please join me in thanking Hans and his employer for sharing this greatly valuable resource!

Updated with the latest version. See the link above to download this file.

Wednesday, February 26, 2014

MeaningfulUse presentation by ONC at HIMSS14

On Tuesday, Steve Posnack, Jodi Daniels, and Jacob Reider presented an overview of the Meaningful Use 2015 criteria. Steve was kind enough to share his slides with me so I could share them with you.

Keith

Updated with his most recent deck, which has a small change to slide 7. See the link above to download the presentation.

CCDA Versions and MeaningfulUse 2015 Certification

One of the HUGE challenges introduced in the Meaningful Use 2015 certification criteria is the replacement of CCDA 1.1 with CCDA 2.0.

Here's the issue in a nutshell:
CCDAs produced by MU2014 certified product won't be able to Interoperate with CCDA'a produced by MU2015 certified product.  CCDA 2.0 tightens up the rules that have to be followed in CCDA 1.1, so it should just be a slam dunk.  However, it also changes the template identifiers, so it's the C32 to CCDA transition all over again for implementers.  In fact, they changed just about every template identifier.

It requires an extensive and deep gap analysis to do this kind up transition to a new version.  Essentially, the new templates are backwards compatible with the old (with a few minor exceptions), BUT, the template identifiers have also changed, and without a good map, getting from one to the other is difficult.  And 2015 CEHRT's should be able to work with 2014 CEHRT's as well, which means they have to support both.

So not only do we handle them a difficult transition, but we also make them accept what used to be valid as well, because it only makes sense, and we don't give them an easy way to transition upwards.  Easy transitions upwards in versions is another important principle in advancing standards.

This is NOT yet an insurmountable problem, but it will be if HL7 acts hastily in closing out the CCDA 2.0 ballot, or if HL7 members don't act to address the issue.  I was happy to let this go back in October when the vote was cast and the position I supported lost by two votes.  But that was when CCDA 2.0 was for MU Stage 3, and not when it was for 2015, just a year after we went from C32 to CCDA, and not when the new rule is optional.

It's not OK that a 2015 CEHRT won't be able to transmit a CCDA to a 2014 CEHRT because they use different versions of CCDA.  It's not OK because my doctor and my hospital use two different EHR's (which is fairly common when you consider that the Ambulatory and Hospital EHR markets are in different segments), and those EHRs are more likely to NOT be able to communicate if one or the other moves up to the new criteria.

We need to solve this problem.  Fortunately, CCDA is still in the operating room (finishing up the ballot), and there is still some chance that templates will finish first and a new versioning mechanisms will be in place for templates, at which time I have a good chance of being able to reopen this question, because the situation will have changed.  And there's time between now and the end of August when the 2015 FR is expected to be published for HL7 to solve the problem.

That isn't a complete solution for the 2015 certification rule though.  Realistically, more is needed to ensure a backwards compatibility path.  Transformation from a CCDA 2.0 to a CCDA 1.1 should be both feasible and automatic (not so in the other direction).  That provides a pathway to support both formats and provides a transition mechanism.  I have to do more thinking about this problem too.

    Keith

P.S.  I know this is my second post in as many hours, but I'm getting behind on posts, so just catch up!

Postel's Principle, CDA and MeaningfulUse

If you've been reading the Meaningful Use 2015 NPRM as I recently did, you probably came across the discussion around requiring certified products to accept 95% of CDA documents.  I can see Doug Fridsma's hand in this. One of his favorite laws of standards is Postel's Principle.  In fact, he quite gleefully looked over my shoulder as I tweeted a comment from heckler's row to the effect that ONC is applying Postel's law to CCDA during Steve Posnack's review of the 2015 certification criteria.

This will be a challenging certification requirement to implement in many ways.  The way it is currently worded below, it appears as if you can only test it after the fact.
§ 170.212 Performance standards for health information technology.The Secretary adopts the following performance standards for health information technology:
(a) EHR technology must successfully electronically process documents validly formatted in accordance with the standard specified in § 170.205(a)(4) no less than 95% of the time.
How would you measure or certify for this?

There are a couple of challenges.  The first thing is in the definition of "success".  What does it mean to successfully process a CDA document?  There are several key processes specified in Meaningful Use.  One of them is to reconcile and incorporate the content of the document for problems, medications and medication allergies.  But there is also a need to incorporate other material, such as laboratory results, or narrative sections into the EHR.  A more careful definition of success is certainly needed here.

Another key issue is the measure of validity.  How would validity be determined.  I've often mentioned that for Meaningful Use, the current TTT validator requires conformance to all required capabilities of Meaningful Use.  That is to say it verifies the maximum possible CDA that a product must be capable of sending.  There are other provisions of Meaningful Use which require the product to offer the physician the ability to customize what is sent so as to include only relevant data in a summary.  Those provisions enable a physician to create a valid CCDA that will not pass validator testing because it doesn't demonstrate all required fields (e.g., there may not be any procedures recorded if none were done).  We must further distinguish cases where a medication is reported but no code is known, or a disease is reported but no code is present in the specified coding system.  For example, suppose that Influenza Type a subtype H7N2 (a bird flu) becomes capable of infecting humans.  Find a SNOMED CT code for it.  You won't be able to.  You'd have to live with a supertype (Influenza Type a subtype H7). What about the case where a medication can be identified, but the dose and frequency aren't available.  So all of these variants are possible, and we'd have to define what it meant to be able to successfully import these.

There are two ways to approach this offhand:  Statistically, or through detailed analysis.  The former method simply says "get a large number of varying but valid samples", and require the EHR to successfully demonstrate incorporation of each.  It's easy, and it gets you to some degree of reliability quickly and easily, but it will certainly miss some non-obvious cases that someone somewhere will eventually program into a system.  The second method is by doing a detailed analysis.  This is more difficult, because it requires someone experienced enough with the standard to determine the legal range of possible variation, but not so well entrenched in it to miss the obvious sources of variation that a practitioner well trained in best practices will simply ignore because they've had that variation trained out of them.

Based on Meaningful Use statistics, you can probably identify a small number of products producing CCDA's that represent 95% of the physicians already using a CEHRT.  You could build a test set from those vendors.  Who's going to build that set, and what is in it for the vendor to contribute to that effort?  Many vendors are hesitant in giving out examples of what their product can do without certain assurances that the material will not be used in ways that allow other vendors to compete.  This is the reality of being in business.

One of the biggest values of IHE is that it provides an environment where vendors can do that sort of testing and gather that sort of test data on profiles they care about, in a way that ensures those samples are protected by non-disclosure agreements.  What happens between vendors at Connectathon stays there, it's part of the agreement we all sign when we show up, and that includes how we deal with the testing data.

But Certification testing isn't done in that sort of environment.  So either the data has to be gathered ahead of time, or be developed in a painstaking manner.

I'm not against the idea, but the mechanism by which it is implemented needs quite a bit more description before I'd be willing to say that this regulation is ready for prime time.

Some of the SHARP work, specifically the SMART-CDA Scorecard could be of assistance here.  I'm still ruminating on this one.

Monday, February 24, 2014

MeaningfulUse 2015 Certification Rule

A quick summary of what is new and different in the recently published Voluntary 2015 Edition Electronic Health Record Certification Criteria: Interoperability Updates and Regulatory Improvements.  You can also find the Word version here, and I recommend it to you for making comments.  Kudos to ONC for making that version available, as it helps both them and us review the material and effectively make comments.

This is but a summary of what I ready between 5:30pm Friday afternoon, and finished reviewing sometime Sunday morning.  It's amazing that I've already had three deep discussions about this content with three other people who've also read it through, and it has yet to be officially published in the Federal Register (but will be there by the time most of you are reading this post).  Note that I started reading this document in Virginia returning from "vacation", and finished my first pass Sunday morning around 9:30am before taking off for HIMSS 2015.  I spent around 90 minutes on this Friday, 15 on Saturday, and about two hours Sunday morning.  While I read, I tweeted the highlights using the hashtag #mu2015 as a way to keep notes.

Some tips when reading NPRM's.  I read them through several times.  The first time, to get the gist of it, I start after the boilerplate and history and regulatory authority, and stop as soon as it gets to the financial impact statement.  So, I don't actually read the proposed regulation, just all of the commentary around what they proposed and considered.  That's the essential stuff you need to know for commenting, while all else is useful, the meat is in that chunk.  It cuts about 25 pages from the front half, and another 75 from the back, so I only had to read 150 pages, not all 252.  Normally, I'd go through 150 pages in about 2.5 hours, but remember that I'm also taking notes while doing this, so not bad for four hours.  I know people who've already put 8 hours into this thing.  So what you are getting is just the gist from that first read through.  Note that in the following, all page numbers are in the pre-publication public inspection version of the rule (and the ONC Word Version), not the prettily formatted Federal Register version that will be published Monday.
  • Many criteria have been split to better support modular certification, which is the only form expected to be supported henceforth.  It makes sense because not everyone needs a "Complete EHR" or has one from a single source.
  • The first of these to be split out is CPOE, separately for labs, imaging and medications. (p26-29)
  • The standard to use for transmitting orders to labs will be the S&I Framework LRO Guide balloted through HL7.
  • Additional criteria has been added for labs, and the NPRM strongly hints at future ramifications regarding CLIA requirements for labs interfacing with 2015 Certified EHR technology.  This was my second predicted standard back in December.  I also made some points about possible CLIA ramifications almost a year ago that got some attention, and may be in the works if I read between the lines correctly.
  • I complained quite loudly about how ONC messed up the selection of the standard for language codes by selecting a different standard than was already in CDA.  It appears they are considering how to fix this problem now.  I'm all for using RFC 5646 which is what the Internet understands (and so does CDA).
  • P38 of the rule offers explanation of how AHA recommends BP be taken. Have you ever had you BP done this way?  Me neither.  Lets use LOINC for the vocabulary as suggested in the NPRM.
  • Note, many criteria are unchanged, for example, the need to record current problems, medication allergies and medications.  I skip a lot of this, as well as minor version updates of standards.  The point is that a summary should only address those things that are pertinent and relevant.
  • P39-44 explains rationale for use of #HL7 Health eDecisions and DSS guides.  There's a lot of explaining here, and probably for good reason.  That standard needs quite a bit of work still to harmonize with everything else already in the MeaningfulUse architecture.  Prediction #3 came mostly true.  I'll count this one in full because the key was HeD, and not VMR.  DSS implies VMR in any case.
  • P44 searching across electronic notes added.  This is a pretty significant change.  Dare I say, they want to be able to Google within a patient record?
  • P48 smoking status unchanged.  This is one of the unchanged things that really matters to people.
  • P49 access image results unchanged.  And another one.
  • P49-50 covers changes to family history, and this is going to be a whole blog post.  Family health history to be recorded using HL7 Pedigree standard, as SNOMED CT dropped.  The key challenge here is that the Pedigree standard is a model, not an XML expression.  How do you test conformance to a model?
  • From P25 to page 51 there are at least four references to FAQs which have adopted into regulation thus far.  I see a pattern developing.  Check the FAQs
  • In the HL7 InfoButton standard, there's no real way to do a patient education or CDS based information request based on a lab result value, only the lab result code.  Thus, I can request information on A1C, but not on a value of 7% in an A1C result.
  • If the patient has a device that has a GUDID, then it appears in their record.  I missed that in my predictions, and it should have been obvious in retrospect given the big splash back in the September HL7 meeting that the FDA and others were trying to make.  I don't know that missed predictions count against me though ;-)
  • P62 begins the discussion of splitting the create and transmit to be separate criteria.  I know a few interface engine vendors who cobbled together a CCDA just to get certified to support create and transmit because you couldn't separate them in order to meet their customer's needs to be able to use that engine to support transmit.  You needn't show create to certify for transmit & versa visa! +1 for @johnmoehrke
  • P65 "would no longer require testing and certification to the primary Direct Project specification" supports more flexible approach, which simply involves demonstrating that you can get your message to a Direct address.
  • In my tweet I said OMG, but I really wanted to say something much stronger when I realized they actually named CCDA Release 2.0.  As that standard presently stands during reconciliation in HL7, the template identifiers are completely different and it will be largely incompatible with MU 2014 certified systems.  So only 2015 certified systems will understand it, and that will cause a HEAP of hurt because 2015 is an optional criteria, which now means we are back to two standards, CCDA 1.1 and CCDA 2.0, and the two at present don't have a backwards compatible path for 2014 Certified EHR products.  Another prediction right (although I later withdrew it thinking, or perhaps hoping they wouldn't make that mistake.  Then again, it's still correctable because 2.0 is still in surgery right now (ballot reconciliation).
  • ONC added a performance measure that "EHR technology would need to be able to receive no less than 95% of all" valid CCDA documents.  This is pretty significant, especially since ONC never really defines what "receive" means.  To me, that means successfully import. This is where I hoped they would name the TOC Guide instead of CCDA 2.0, and they didn't.  So, I think between CCDA and TOC, I get a half a point.
  • P74-75 discusses name matching criteria that includes first, middle, last, dob, place of birth, maiden name, sex, and current & historical address.  For name matching purposes, some of these are good confirmatory elements, and others are good elements to confirm or reject a match, but the criteria doesn't say how to use which ones.
  • Note that the above criteria, and the addition of GUDID means that the Common MU Data Set will likely be changing to support those additional data elements.
  • P78 In one place, two requirements were merged: The requirements for reconciliation and incorporation requirements were combined.  I keep telling people that the IHE Reconciliation profile is a good profile to adopt for these requirements.  IHE is going to be updating it this year to simplify the requirements and make it easier for systems to declare conformance.  Maybe ONC could adopt it?  They did ask.
  • P83-86 discusses #HL7's #HQMF release 2 standard, proposed for EHRs to interpret Clinical Quality Measures.  Another prediction right.
  • P88 CEHRT must be able to filter populations by several criteria before producing measures.  This one seems kind of silly, since a measure already has a population criteria which filters the population to which the measure applies.  It may well be that some don't understand how measures or HQMF really work.
  • P90 They asked for feedback on support for two factor authentication for ePrescribing of controlled substances and remote EHR access.
  • P97 Contains a spoiler alert "given our proposal to discontiinue the Complete EHR concept ..."
  • P101 WCAG level AA proposed instead of level A for View capability
  • P103 Imaging is back into play for patients. This was proposed for 2014 but later dropped.  Shouldn't patients be able to get diagnostic quality images?
  • P109-113 Both CDA and QRDA standards were proposed for syndromic surveillance in ambulatory space.  Both might work.  The former would be used as specified and the surveillance would occur by simple inspection of that appeared without a lot of net new exchange requirements.  However, we'd be utilizing QRDA instead of using it for this purpose.
  • P129 ONC provides a 2014 to 2015 equivalency table that will save many of us a lot of work understanding the rule.  Thanks!
  • P149 Finally Meaningful Use gets meaningful brand identification with introduction of a certification mark 
  • Questions about 2017 criteria start at p154, and so I stopped reading there, since my review was strictly to address 2015 criteria.
Of significant note, BlueButtonPlus didn't make it into the proposed criteria, and was barely discussed in such as way as it could be included.  However, there's a way forward.  But first some discussion about regulations.

There's rules about regulations, not surprising.  One of those rules is that if it wasn't discussed or asked in the proposed regulation, it cannot be done in the final rule.  So if there is no discussion about Blue Button + in the regulation, it couldn't be in the final rule, right?  Except there is a big hole in the second paragraph of Page 100 which says: "We seek comment on whether we should require another transmission method as part of this certification criterion in addition to the one just discussed."

There's the opening for Blue Button +, which is after all, a transmission protocol.  So, if you want Blue Button + to be part of the 2015 criteria, that appears to be your opening.  It is such a close thing to what is already required in VDT, couldn't we just go there?

As a summary, this is pretty long.  Let me make a long story short.  My grade on predicting appears to be 3.5 right out of 5, with one major missed prediction (GUDID).  I can live with that score, especially since I don't know many others who were willing to go out on such a limb.

     Keith

P.S.  I proposed in my Project Management class to take on planning a project to do an assessment of the 2015 criteria.  Now that we have half a clue what it is, my team can proceed to the next step.

Friday, February 21, 2014

Herding Panthers

One of the joys of my job is getting to work with some of the best and brightest people in this industry. It is especially fun when I get to hand-pick a team from among those that I know in that space, or work with somebody else's hand-picked team.  The challenge of working with a team that good is that everyone has thier own process and style, but as a team we have to develop a common style and process.

That is perhaps the hardest part about leading a team like this, except for one thing.  We all work in standards, and we all know how to follow a consensus process.  My job is not so much leader, as it is chair.  I have to make sure that there are plenty of straw men to throw tomatoes and eggs at, so that the team can do their best work creating a process and style that works for everyone.

It's the kind of job where you have to leave your ego at the door [but then be ready to run and grab it again later].  I both love and hate this kind of work.  The results are the best, but getting there is a struggle.  My favorite part about this is watching one of the team snag the ball and run down field with it for 20 or 30 yards.  Enough advances like that, and we can easily score.

Thursday, February 20, 2014

Disrupt is Simply a Word

Disrupt has become some a marketing buzzword lately that everyone wants to be seen as being as successful  is using it.  Yet, when the major disk drive manufacturers decided not to enter into the smaller, cheaper, less capable drive market, and other companies entered those spaces, did they do so touting disruption?  No, they just did it.  They didn't ask for permission, didn't need government assistance, they just walked in.

Now everyone wants to be seen as being as successful those cheap storage makers of days gone by.  But few note that those same storage makers were displaced by yet another lower end, and are now being replaced yet again by solid-state storage. Few of those companies that were so disruptive were smart enough to stay through the next cycle.

So, the next time someone tells you that they've got the next market disrupting model, ask them these two questions:

1.  What market need have you anticipated that nobody else has.
2.  What should I do about it?  

If the answer to question #1 doesn't make the answer to question #2 obvious, then what you might have in front of you is simply someone who has spent too much time in airport bookstores, and not enough in basements, garages or back rooms looking for solutions to real problems.

The best evaluation of disruptive innovation is in its aftermath.

IHE Cardiology Technical Framework Supplement Published for Public Comment



IHE Cardiology Technical Framework Supplement Published for Public Comment
The IHE Cardiology Technical Committee has published the following supplement to the IHE Cardiology Technical Framework for public comment in the period from February 20, 2014 through March 22, 2014:

* Electrophysiology Implant/Explant Report Content (EPRC-IE)

The document is available for download at http://ihe.net/Public_Comment/#cardiology. Comments submitted by March 22, 2014 will be considered by the IHE Cardiology Technical Committee in developing the trial implementation version of the supplement. Comments can be submitted at http://ihe.net/Cardiology_Public_Comments.

Tuesday, February 18, 2014

Your Highest Priority doesn't even Hit my Radar Screen

Sometimes I run into someone, or read something about how someone says that XYZ is a problem, and we should fix that, and if only we made every ___ do it this way, the problem would be solved, and think of all the money that would be saved.

Except that while XYZ is a problem, it isn't a priority for me.  I've got a ton of problems, and XYZ isn't one of them.  It affects 1/10 of one percent of the smallest group of activities that my customers engage in, or I ever need to deal with.  And, yes, in that very small set of cases, there's an improvement that could be made.  But it will cost you some number of $$$ or resources, or time and effort.  And those same $$$ or resources or time and effort are something that won't be spent on higher priority issues that my stakeholders really care about.

I could wish that we could keep agency X's agenda from agency Y's rule making process.  Health care touches everyone, but that doesn't mean it should be a slave to everyone's agendas.  Remember the purpose, it's actually in the two words: Health Care.  It's not primarily about law enforcement, taxes, fraud, abuse, education, the military, veterans, education, or any other special issue.

When your special issue has a priority that affects health care, such that the value of the special issue is greater than the impact trying to squeeze that into the development of systems for health care, then it will pop up on my radar screen and make sense to apply myself to it.

I think the only way to make it apparent is to create a real prioritization process, where someone can assess a) the value of an intervention to its stakeholders, b) the cost of it to the implementers, and c) the value of that same intervention to those who must use it.  When c) exceeds b), it should be considered.  I don't care how big the value is to you, if isn't worth it to my customers, it probably isn't valuable to me either.  When a) exceeds b), but c) is too small, consider sharing some of a) with those who do b) and it might, just might become worth doing, and hit my radar screen again.

Until then, please save me from somebody else's priorities.

Growing Up

What do you want to do when you grow up?  It's a question that's been rolling around in your head for decades, right?  It's also one you ask you kids.  I jokingly respond that if I make it to 50 without growing up I won't have to.  You could interpret that to mean "I'm pretty comfortable doing what I'm doing and don't see a need to make big changes," but that would be a lie as I wouldn't bother with school.  What that statement really means to me is that the state of "having grown up" is a terminal state (or as we learned this week in one of my classes, a capturing state in a Markov model).

The question also applies to organizations, like HL7 International, or IHE USA.  And again, the idea that "grown up" is a done thing applies even less to organizations that it does to people.  Growing up is a process of change.  Organizations need to be constantly changing to meet the needs of their environment.

And people will either resist or promote change.  It's not comfortable, but the alternative is even worse.

Remember this, when an organism (person or organization) stops changing, it isn't because they've reached perfection, but rather, because they have died.

Friday, February 14, 2014

Easy is Hard

There's a natural tension in standards development between learning the methodology of an SDO and making that methodology easy to use.  The problems we work on are difficult, one would expect that the people who solve them are big-brained, and can learn complex methodologies.  The same can also be said of the practice of medicine.

However, true brilliance in this space makes the complicated look easy and obvious.  You know you've got it right when you can explain it to your mother, or perhaps your teenager.  Unfortunately, it isn't readilly apparent that anybody has found a methodology for that yet, let alone made that easy and obvious to practice.  So, we blunder along, and occasionally something like FHIR comes along.

Yet there is a method in all the madness.  FHIR arose out of one developer's frustration with all that was wrong with HL7 V3.  FHIR rejects complexity as being necessary, and embraces simplicity as one its principles.  One of the most often heard complaints from the congnoscenti is about the "80/20" rule that FHIR applies.  When I hear one or two complaining loudly about how some feature should be in the 80%, I laugh, because the metric is working.  It's causing pain and thought, instead of taking the easy road.  It's easy to add everything including the kitchen sink.  It's hard to figure out what is the essential requirement.  We should be complaining on the boundaries.

But here's the easy metric.  If you are among the 1 or 2 of a dozen who feel that a feature should be in the 80%, you are probably wrong.  If not, you'd be able to get at least one or two others to agree with you. And since you cannot, clearly it isn't there.  Being on the wrong end of that sort of governance is frustrating.  Hell, even being on the right end of it is frustrating.  Frustrating because it's difficult.

Nobody said your job was going to be easy.  After all, that's why they pay you the big bucks, is to do the hard stuff.  So let's do it.


Wednesday, February 12, 2014

HIPAA Bullshit about Windows XP

OK, don't get me wrong.  I usually like stuff posted over at HITechAnswers, but this is just one of those days where posting free content just doesn't pay. First read the post in question.

Now, let's see where the feces lie.






  1. Just having a Windows XP computer on your network will be an automatic HIPAA violation.
    There may be automatic HIPAA violations, but JUST HAVING A WINDOWS XP computer on your network isn't one of them.  Not doing an annual risk analysis is.  And if you do a risk analysis and can verify that you've taken appropriate steps to protect other computers on your network from the Windows XP computers which may also need access to that network, then you may be in compliance (depending on what else you found).
  2. Which makes you non-compliant with Meaningful Use.HIPAA Violations don't automatically make you non-compliant with Meaningful Use.  There is nothing in Meaningful Use that says if you have a HIPAA Violation you lose your incentive $$$.  HIPAA Violations happen, and HHS can penalize you for them, but at the moment, they cannot cause you to lose your status as a meaningful user.   What meaningful use says about it can be found at 495.6(j)(16)(i) and (l)(15)(j).
  3. and will be a time bomb that could easily cause a reportable and expensive breach of protected patient information
    OK, not really bullshit, but still the crap-o-meter is up there.  What is that computer doing and what is it hooked up to?  If it's sitting in the lobby providing free web access to anyone, but is on your office network, then it's not just a time bomb, it's also been booby trapped.  However, if it is sitting in a back room, has had most ports locked down, and is monitoring some critical equipment, and is only accessible in certain ways, then it's quite possibly safe.  DO THE RISK ASSESSMENT.
  4. The HIPAA Security Rule specifically requires that you protect patient information with system patches and updates, which will not exist for Windows XP after April 8.
    The latter part is probably true.  However, the former part about system patches and updates is NOT what the HIPAA Security Rule says.  I suggest you READ IT FOR YOURSELF and stop relying on others to interpret it for you.
  5. There are fewer than 12 weeks to replace every Windows XP device in your organization. NOPE.  Not even close.  If you let his assessment guide you, then sure.  However, if you do your own assessment, you'll quite possibly find that the XP system used for that one specific task isn't a total security hole, and that there are things that you can do to mitigate the risk while you address the issues in a reasonable timeline. Neither the word patch nor the word update appear in the Security rule.  However, the word reasonable does, several times in 45 CFR 164.306.
  6. Getting rid of Windows XP means replacing both hardware and software.  Not the last time I checked.  It might be a good idea, but it is absolutely not required.
  7. Replacing Windows XP lets you comply with both the HIPAA and Meaningful Use requirements that you secure patient data.
    No.  Actually, doing a RISK ANALYSIS does, and not doing it is an automatic failure.  Replacing equipment you have because some blog post told you to simply lets you spend money.  Check the facts.
  8. Some of your Windows XP computers may be managing diagnostic or special purpose devices, and are not managed as part of your office network. Don’t let these hide from you as you replace your office systems. They all need to go.
    Actually, they don't necessarily.  If you determine that THIS system is needed for your operations, and you take appropriate precautions, then it doesn't have to go.
  9. Encryption was not in Windows XP but is now included in some business-class versions of Windows.Hmm.  Really?  How much software does this guy write?  How many computers does he install? Encryption certainly was a feature of Windows XP.  Otherwise, the first time you hit Google after they put in a forced redirect to https://www.google.com when you typed in http://www.google.com would have failed.  And if you happen to have one of those ancient tanks around, you should also see that you can encrypt an entire file system.
  10. Refer yourself to a specialist.Absolutely true.  Totally non-bullshit.  Now, what business do you think he might be in?
My guidance?  Do a risk analysis. And you can probably guess which specialist I probably wouldn't select to lead it.

Something major has changed and that should automatically trigger a risk analysis.  Once you've finished that, make some well-reasoned decisions.  Those decisions will probably include a plan to upgrade operating systems to one that is supported, and/or replace older existing computers that cannot be upgraded, but those can be done in a reasonable time frame. 

But don't let some blog post full of BS panic you into doing something you don't need to, or in a way that it is going to cost you a lot more than necessary.

Earn FREE HIMSS14 Exhibitor Badge - Call for IHE Volunteers at the Interoperability Showcase

Greetings Fellow IHE Supporters!

This year, IHE will have a large presence at the HIMSS Interoperability Showcase<http://www.interoperabilityshowcase.org/himss14/> including an Information Desk, a new 15x20 Educational booth focused on educating conference attendees on the benefits of IHE. We are looking for volunteers to support the Information Desk and the Booth on Mon-Wed. Feb. 24-26, 2014. All volunteers will be given a FREE Exhibitor Badge!! Please review the guidelines and submit your RSVP using the survey<http://www.signupgenius.com/go/10C0849A9AB2FA4FC1-volunteer> by February 14th.

Volunteer Role:
Be the face of IHE!! We are looking for content experts in IHE that can help answer questions from HIMSS conference attendees. Must have ability to clearly communicate IHE benefits, past experience using IHE products and be able to handle questions from a spectrum of learning levels from the technically savvy to the technically challenged conference attendees.

Volunteer Requirements:

  • TRAINING: Attend a mandatory 30 minute training session offered on Sunday, February 23, 2014 at the following times:
    • 12:30 ET
    • 2:30 ET
    • 4:30 ET
  • Sign up for your training session using the survey.
  • TIME COMMITTMENT: Must work two (2) 4.5 hour shifts, dates listed below. Sign up today!
    • Monday, February 24th
    • Tuesday, February 25th
    • Wednesday, February 26th
  • Questions about time commitments or shift schedules? All scheduling and coordination will be handled by Nancy Ramirez. Please contact Nancy Ramirez at nramirez@himss.org .

Volunteer Benefits:
All Volunteers who commit to the (2) 4.5 hour time slots will be entitled to the following benefits:


  • FREE! Exhibitor badge to HIMSS14 Annual Conference
  • Network with HIT professionals
  • Build awareness for IHE and simultaneously recruit additional volunteers for YOUR particular domain

Travel Accommodations Note: IHE USA does not provide housing, flights and/or a per diem for these volunteer positions. These expenses are your responsibility.

Questions about Volunteer Opportunities?
Please contact Celina Roth at croth@himss.org if you have any additional questions regarding Volunteer Opportunities. IHE staff will follow-up with you once you have completed the survey to confirm your availability, role and provide additional details for your role on-site. Thank you for your support in advance.

Uncover the Power of IHE!
Interoperability for Dummies, IHE Edition
Now Available | Get Your Copy!


Monday, February 10, 2014

DAF Updates, SAIF Simplified, and other Stories from IHE in Vienna

Yesterday we went through our walk through of the IHE Data Access Framework White Paper.  We hacked on it pretty hard for a number of reasons.  One of the challenges we ran into was that the QIDAM didn't deliver on it's promise of harmonizing HQMF, HeD, QDM, VMR and CDA models.  Instead, it delivered on part of that, and only on that part related to HQMF/HeD harmonization.  The problem with that is that the DAF white paper needed that like yesterday, so now we have to find something else.

Unfortunately, other conceptual models don't fit the situation very well, and as we know, the reason for QIDAM was because HL7 had no conceptual model from which you could derive its clinical statement model.  So even though we all have that model in our heads, we still don't have it on paper.  My choices are to find one that fits (two have already failed), or build Yet Another One.  Ycch.

During the discussion, Derek from ITI stopped by, and he's done some real work with RM-ODP, and one of our co-chairs in the group (Laura Bright) is familiar with the Zachman Framework.  As a result of those discussions, we've gone from the HL7 SAIF 3 X 4 grid to a 2 x 5 grid, where IHE makes it really clear, we say NOTHING about technology, and our two levels are conceptual and implementable across the original five viewpoints.  That pretty much corresponds with Volume I and Volume II/III content divide.  Ho-ray for simplification. 2 x 5 < 3 x 4, and two are explicitly N/A.

After geeking out about that, there was a little side conversation over lunch about the curvature of a saddle (I won, it's negative, but she'll get me back for that later).

And then, there was the fact that IHE ITI decided this week to change the CP status known as "Rejected" to "Rejected with apologies".

IHE In Vienna has been fun so far, I just hope I manage to get some sleep while I'm here.

   Keith

Thursday, February 6, 2014

Principles for HealthIT Standards Selection

Last Thursday the Clinical Quality Workgroup met to finish the discussion we started in October on principles for standards selection.  We reviewed the following single slide in detail and verified that these are indeed the right questions to be asking about standards that we recommend as a workgroup.


This is a really nice reduction of our discussions to a very simple, easy to use assessment that any HIT Standards Committee workgroup can use to assess readiness of a standard for use in certification processes. This material is based on past work from NIST (for Smart Grid standards) and IHE (for standards selection used in IHE profiles) and HITSP (e.g., the Tier 2 spreadsheet).  The Clinical Quality workgroup will be using this assessment going forward for its recommendations to the HIT Standards Committee, and I personally hope that other committees adopt this assessment process as well.

Tuesday, February 4, 2014

Medical Decision Making intersects with Data Mining

One of the classes I'm taking this term is call Medical Decision Making.  We'll spend quite a bit of time on Decision Trees, Simple Markov Models, and Monte Carlo Simulations to develop our skills with a set of tools useful for decision making.

Some of these tools I've used before for classifying information.  I used data from simple Markov models to build a predictive part of speech recognizer, and decision trees were something I built to make hyphenation rules, back in the days when I used to care about spelling correction.  These are also tools found in the tool-box of anyone familiar with a variety of data mining techniques.

And those same techniques are being applied to micro-signals in analytics applied to big data generated by organizations to help detect and improve some other measure (be it quality, profitability or something else).

In fact, there is so much similarity that I'm beginning to wonder about the application of other data mining techniques to medical decision making.  Do I hear a thesis topic coming together in my back brain?  If I focus it on patient-centric medical decision making, there might just be something worth looking into that also fits into my personal and career goals.

Funny how all that early work in linguistics keeps coming back to haunt me (as he hunts for red squiggles in his blog post [note to self: add squiggles to my custom dictionary]).


Putting what you know together with what you do

One of the luxuries of taking a class that covers material that I've been doing is NOT that I've been doing it, but rather, that is reminds me of the steps I've been skipping.

For example, I've been managing projects for the past thirty years.  I've got (somewhere around here), a print copy of the PMBOK guide, as well as a shelf full of books on software engineering, process, project mangement, et cetera.  I'm used to applying project management to software development projects.

What I'm NOT used to, is applying that knowledge to other kinds of projects, since I've neither been the PM, nor part of a project large enough (until last year), to require some serious PM skills from me.  So, the reminders I've been getting in class are good, timely, and helping me to recognize where to apply those skills to my more recent work.  And it's of course, just in time education, which means I'm getting it when (or just slightly after), I need to be using it, which means I am using it, which means I'm learning it (and teaching it to others, which is an even more effective way to learn it).

So, to cap it all off: This weekend I applied it to my personal life.  We are planning a move to happen some time in the next year, allowing me to move my mother in with the rest of my family.  But I need a bigger house, and for several other reasons, moving is more attractive than building.  So we kicked off that project this weekend, and I have a charter, list of stakeholders, WBS, task effort estimates, and a few other things already from that first meeting.

Project meetings are weekly on Saturday morning [after coffee/breakfast, before cartoons].  So now I get to try this three ways.  What fun.  And now my kids get to see what I do for my day job applied to their lives.

We've got a set of items to do for the next two weeks, and if we hit everything (or nearly everything), everyone gets to go out do dinner (on the project sponsors [my wife and I]).

    Keith