Thomas, You have described the situation succinctly with your statement: "My suspicion is that the gov has documented HIPAA as well as it can and is letting the healthcare community tell it what it said."
I sense that our security experts are fairly happy with the HIPAA Security Rule... that it goes far enough, but does not stifle development or unreasonably increase costs... that it is essentially a codification of what most would consider "best practice". Same for HIPAA Privacy, really. We are hearing some consumer groups (the paranoid fringe) arguing for even more restrictive privacy policy than HIPAA... but I can tell you that my patients are more inclined to regard the whole thing as gross overkill and a waste of doctor's time. I would not quite agree with the latter because a good deal of the "security and privacy" that patients presently enjoy is afforded by their health information being scribbled into paper records and trapped in the doctor's back room. That DOES keep the information safe from prying eyes... of even the people who need to see it! The rule that needs to be changed and is causing all the grief at the moment is the transaction rule. If our goal is to force lower operational cost with a regulation then, in my opinion, the regulation only need to FORCE representation of provider needs at the SDO level. Then common sense and the requirement that SDOs abide by a consensus process, should result in a standard that doctors can live with. Representing the diverse requirements of all care domains at the SDO level, however, will require a substantially different labor/funding model for the SDO, and some heavy-duty automation/tools to handle the extensive vetting requirements with our dispersed (global) provider community. We also need more online collaboration tools and FEWER expensive, face-to-face SDO meetings. Using a govt. regulation to force a specific communication paradigm like X12-style EDI is simply the wrong place to apply the regulation. There is no "one size fits all" model for EDI. This has induced smaller plans and virtually all providers to simply push their EDI connection headaches onto the clearinghouse industry. I call it the "dueling leaf-blower problem". The CH-industry is glad for all the new business this is blowing its way... but I'm not convinced that it knows what it will do with all the leaves! Christopher J. Feahr, O.D. Optiserv Consulting (Vision Industry) Office: (707) 579-4984 Cell: (707) 529-2268 http://Optiserv.com http://VisionDataStandard.org ----- Original Message ----- From: "Thomas Clark" <[email protected]> To: <openehr-technical at openehr.org>; "norbert Lipszyc" <irl at club-internet.fr>; "Christopher Feahr" <chris at optiserv.com> Cc: "Thomas Clark" <lakewood at copper.net> Sent: Thursday, August 07, 2003 10:54 AM Subject: Re: Distributed Records - An approach > Hi Chris, > > Unfortunately the uncertainty in the HIPAA environment at this time is > sufficient to cause large Providers, e.g., Kaiser Permanente, to move > records > based operations offshore, i.e., to India. I am uncertain as to their > reasoning > but it may well be a situation where the records will reside beyond the > jurisdiction of US courts. > > The Provider may then have only the transitory records to contend with. > I haven't seen a paper on this concept but I can bet that KP has already > been > down this trail. On this one only a qualified attorney can hazard a guess. > > The following is certain, however, (1)the security features designed into > OpenEHR > records are of MAJOR importance and (2)where the records reside may > ultimately affect the 'choice of laws' applied. > > As OpenEHR proceeds it is likely to encounter may more of these legal > issues and, even after deployment, may have to adapt to changing legal > requirements. My hope is that one day we will see international law > covering such topics, e.g., security and privacy of healthcare records > transmitted and stored internationally. > > APPROACH: Make it the 'best' you know how and maybe people and > governments will buy into it. My suspicion is that the gov has documented > HIPAA > as well as it can and is letting the healthcare community tell it what it > said. > > -Thomas Clark > > ----- Original Message ----- > From: "Christopher Feahr" <chris at optiserv.com> > To: "Thomas Clark" <tclark at hcsystems.com>; "norbert Lipszyc" > <irl at club-internet.fr>; <openehr-technical at openehr.org> > Sent: Thursday, August 07, 2003 7:13 AM > Subject: Re: Distributed Records - An approach > > > > Thomas, > > Your points are certainly well taken regarding qualified legal > > assistance. WEDI-SNIP (http //www.wedi.org/snip/) is where the bulk of > > the discussion is taking place regarding what HIPAA actually means and > > requires of industry stakeholders, and it is populated with quite a few > > lawyers, including our top health law firms. After 4 years of > > relatively non-stop, open discussions of how to comply with this > > regulation, we have grown up a virtual army of self-taught HIPAA > > "lawyers"... consultants like myself, who have volunteered to read > > through the regulations, follow the national discussion, and > > participate in writing the numerous white papers published on the SNIP > > web site. > > > > Attorneys do comment frequently, but mostly in general terms. I'm sure > > that they realize, as you have pointed out so vigorously in this post, > > that many interpretations and arguments are possible in this complex > > area of law. When push comes to shove and these questions land in > > court, it's anyone's guess who will prevail. > > > > Nevertheless, US providers and system developers are in a dilemma. The > > government has published thousands of pages of convoluted legal and > > technical requirements in our Federal Register... and simply expects a > > half-million providers to "comply" with it. The regulations go into > > excruciating detail regarding security and privacy requirements, while > > the Transaction Rule goes into similar detail with respect to electronic > > communication between payers and providers, naming 8 or 9 specific X12 > > implementation guides to be used for claims, eligibility queries, > > payment advice, etc. Each IG contains hundreds of pages of specific > > requirements for each transaction, and are effectively part of "the > > law". > > > > Our government (mainly Centers for Medicare and Medicaid Services (CMS) > > and Dept. of Health and Human Services)encourages and occasionally > > participates in these unmoderated discussions. CMS and has compiled a > > "frequently asked questions" site, where its published answers are > > regarded by most as the definitive legal interpretations. Providers, > > however, are largely oblivious to the law and this rambling 5 year > > conversation among a couple thousand consultants, payers and > > clearinghouses. But even this band of self-appointed "HIPAA jailhouse > > lawyers" cannot agree on what HIPAA means in some of the more complex > > areas like who can be charged for what by a clearinghouse and the > > "Direct Date Entry (DDE) exception" to the transaction rule... yet, the > > regulation directly or indirectly impacts virtually all areas of system > > development for the US healthcare industry. > > > > Anyway... that's why I have become accustomed to "talking like a lawyer" > > about these issues. We have had no choice in the US, but to take up the > > law books ourselves. The government dropped this requirement on us, but > > has provided no accompanying legal or implementation assistance. That > > has largely been a volunteer effort through WEDI-SNIP. In fact, the > > regulation itself names WEDI and charges it with this very mission. > > > > It's a real party over here! > > > > Christopher J. Feahr, O.D. > > Optiserv Consulting (Vision Industry) > > Office: (707) 579-4984 > > Cell: (707) 529-2268 > > http //Optiserv.com > > http //VisionDataStandard.org > > ----- Original Message ----- > > From: "Thomas Clark" <tclark at hcsystems.com> > > To: "Christopher Feahr" <chris at optiserv.com>; "norbert Lipszyc" > > <irl at club-internet.fr>; <openehr-technical at openehr.org> > > Sent: Wednesday, August 06, 2003 11:18 PM > > Subject: Re: Distributed Records - An approach > > > > > > > Hi Chris, > > > > > > One always has to check the 'terms and conditions' of the agreement > > > between the Patient and the Provider. Generalizing may lead one down > > the > > > wrong path. > > > > > > Comments in text. > > > -Thomas Clark > > > > > > ----- Original Message ----- > > > From: "Christopher Feahr" <chris at optiserv.com> > > > To: "Thomas Clark" <tclark at hcsystems.com>; "norbert Lipszyc" > > > <irl at club-internet.fr>; <openehr-technical at openehr.org> > > > Sent: Wednesday, August 06, 2003 11:51 AM > > > Subject: Re: Distributed Records - An approach > > > > > > > > > > the "control" issue is an interesting one. In the US, it is > > generally > > > > acknowledged that the patient "owns" the information in the record, > > but > > > > not the record, per se. > > > NOTE: check 'terms and conditions'. If unsure, consult a qualified > > attorney. > > > > > > ... There would be no legal basis that I can think > > > > of, for the patient to assert control over where the records are > > > > physically stored. > > > If the records are stored by the Patient then it may be the case that > > the > > > Patient owns both the information and the physical record. Consult a > > > qualified attorney. > > > > > > ... The law guarantees the patient reasonable access to > > > > a true copy of the info. > > > NOTE: Although supposedly a fundamental perceived right in HIPAA > > > I reserve comment until it has been adequately demonstrated and > > > precedent established in the courts. > > > > > > Unless statements in a legislature act are specifically identified as > > rights > > > and recovery for violation of those rights are clear and unambiguous > > > you might have a struggle establishing the statement as a right > > > (interpretation of a legislative act, or what was the intent of the > > > legislature). > > > > > > Consult a qualified attorney. > > > > > > ... and control over who else may see it (while it > > > > is *identified* as information about the patient... no control over > > > > "de-identified" data). > > > > > > COMMENT: > > > Control over access to information/records, in my opinion, is actual > > > control only where it is ABSOLUTE CONTROL AND violations are > > > specifically proscribed under the law. > > > > > > My interpretation of HIPAA is that control by the Patient is NOT > > ABSOLUTE. > > > Consult a qualified attorney. > > > > > > ... With respect to access and general security, > > > > HIPAA is now the common floor in the US, with the occasionally > > stricter > > > > state and local regulations "trumping" the HIPAA Privacy and > > Security > > > > Rules. > > > > > > > COMMENT: > > > This gets into 'supremacy' of the laws, i.e., federal versus state > > law. > > > Checkout the > > > insurance industry in the US and what impacts state Insurance > > Commissioners > > > have. HIPAA affects healthcare insurance providers in a big way and > > they > > > have > > > successfully lobbied for specific provisions. How come the 50 states > > have > > > previously been unable to successfully pass legislation at least as > > > significant as > > > HIPAA? > > > > > > Consult a qualified attorney. > > > > > > > BTW, a group of doctors here have introduced an even more > > problematic > > > > concept, they refer to as "stewardship". They are particularly > > > > concerned about data stores that will accumulate with e-Prescribing, > > and > > > > they do not want the information about what drugs are being > > prescribed > > > > going into marketing-oriented databases. > > > > > > This is a problem that DOES NOT EXIST in the UK (single-payer system > > > with rigid privacy/security laws). Insurance companies have been > > compiling > > > data on Patients and Drugs for some time even though they have agreed > > with > > > Congress not to do this. It is a real problem. > > > > > > An adequate discussion on this can be carried on only with a qualified > > > attorney present. > > > > > > ... The HIPAA Privacy Rule would > > > > certainly preclude that with patient- or provider-*identified* > > > > information. > > > > > > COMMENT: I suspect that this one should be handled by a qualified > > attorney. > > > > > > ... But HIPAA allows de-identified health information to be > > > > passed around freely. > > > > > > COMMENT: > > > Personally I view this as a security violation since little definition > > is > > > provided as > > > to how Patient records become 'de-identified'. Providers at all levels > > > should be > > > bound by the privacy/security presumed and expected by the Patient. > > > > > > 'de-identifying' records for whatever purpose is really tricky, e.g., > > if the > > > clinic > > > has had only one Patient in the last ten years with a rare disease and > > you > > > are > > > the Patient, one might consult a qualified attorney. > > > > > > Be sure to consult a qualified Plaintiffs attorney on this one. > > > > > > These docs seem to even want to retain a legal > > > > "stewardship" role with de-identified information... not likely to > > > > happen. > > > > > > Immediately coming to mind is 'intent of the law' and judicial > > > interpretation > > > of the law. My guess is that "stewardship" does not rise to a position > > > superior to federal law. > > > > > > Be sure to consult a qualified Plaintiffs attorney on this one. > > > > > > COMMENT: > > > The majority of your post includes issues properly addressed by > > qualified > > > attorneys, defendant and plaintiff; some issues better answered by one > > or > > > the > > > other but each better equiped to answer than I am.The common-law > > > jurisdictions in the US and the federal code and judicial system need > > to be > > > considered when making plans that involve or make contact with HIPAA. > > > > > > > > > > > Christopher J. Feahr, O.D. > > > > Optiserv Consulting (Vision Industry) > > > > Office: (707) 579-4984 > > > > Cell: (707) 529-2268 > > > > http //Optiserv.com > > > > http //VisionDataStandard.org > > > > ----- Original Message ----- > > > > From: "Thomas Clark" <tclark at hcsystems.com> > > > > To: "norbert Lipszyc" <irl at club-internet.fr>; "Christopher Feahr" > > > > <chris at optiserv.com>; <openehr-technical at openehr.org> > > > > Sent: Wednesday, August 06, 2003 10:54 AM > > > > Subject: Re: Distributed Records - An approach > > > > > > > > > > > > > Hi Norbert, > > > > > > > > > > Agree regarding the Patient's choice. It is a basic presumption on > > my > > > > > part and I too often forget to state it. > > > > > > > > > > Regional databases that maintain Patient records should be > > responsible > > > > to > > > > > the Patient who in turn dictates the 'terms and conditions, the > > major > > > > > loophole being prevailing law. However, the Patient should be able > > to > > > > > choose where to store the records (especially where paying to do > > so). > > > > > > > > > > Given a choice between the US and France I would choose to store > > them > > > > > in France because of the higher levels of security. > > > > > > > > > > Before deployment, and as soon as possible, these types of > > > > requirements > > > > > must be integrated in the design and affecting all levels. I just > > > > forget to > > > > > mention them. > > > > > > > > > > -Thomas Clark > > > > > > > > > > ----- Original Message ----- > > > > > From: "norbert Lipszyc" <irl at club-internet.fr> > > > > > To: "Christopher Feahr" <chris at optiserv.com>; > > <lakewood at copper.net>; > > > > > <openehr-technical at openehr.org> > > > > > Sent: Wednesday, August 06, 2003 1:23 AM > > > > > Subject: Re: Distributed Records - An approach > > > > > > > > > > > > > > > > The remarks of Christopher Feahr are very adequate, but they > > > > overlook the > > > > > > fact that in many areas, patients will have the decision as to > > where > > > > they > > > > > > want their records to be kept (trusted third parties for > > example, as > > > > in > > > > > the > > > > > > case of electronic signatures). therefore his conclusions are > > even > > > > more > > > > > > appropriate as they allow this freedom which is essential in > > many > > > > > countries, > > > > > > France in particular. > > > > > > Norbert Lipszyc > > > > > > ----- Message d'origine ----- > > > > > > De : Christopher Feahr <chris at optiserv.com> > > > > > > ? : <lakewood at copper.net>; <openehr-technical at openehr.org> > > > > > > Envoy? : mardi 5 ao?t 2003 17:28 > > > > > > Objet : Re: Distributed Records - An approach > > > > > > > > > > > > > > > > > > > Thomas, > > > > > > > This sounds workable to me. If I am understanding you > > correctly, > > > > we > > > > > > > need one (and only one??) registry in which anyone, anywhere > > (who > > > > is > > > > > > > authorized, of course) could look up a patient and determine > > which > > > > > > > "region" had master control at the moment over his record. If > > I'm > > > > a > > > > > > > provider living in the region where the records are primarily > > > > managed, > > > > > > > then when my system attempted to look up, say, the date of his > > > > last > > > > > > > Tetanus vaccination, it would find it immediately. If I was a > > > > provider > > > > > > > visited while the patient was traveling outside his "home" > > region, > > > > then > > > > > > > the same local query about his tetanus shot would tell me: > > "hold > > > > on a > > > > > > > minute, while we search all known registries to see where this > > > > guy's > > > > > > > home-region is... where his most current records will be > > located". > > > > ... > > > > > > > and then my region does a full record update from the current > > home > > > > > > > region? or just try to display his tetanus vaccination > > history? > > > > > > > > > > > > > > One of the problems alluded to is that different regions might > > be > > > > using > > > > > > > very different EHR structures. Thus a simple "record refresh" > > in > > > > region > > > > > > > B from the information stored in Region A is not so simple. > > It > > > > would > > > > > > > involve mappings at least, and possibly even data > > transformation. > > > > The > > > > > > > inability to assume an overarching authority seems to be the > > > > Achilles > > > > > > > heel. After a dozen record "movements" from one region to the > > > > next, > > > > > > > many little mapping and transformation errors may have > > accumulated > > > > to > > > > > > > thoroughly hose up the medical information in the patient's > > > > "master" > > > > > > > record. > > > > > > > > > > > > > > One way around the central record managing authority would be > > to > > > > have > > > > > > > VERY FEW regions... each with a well organized regional > > > > authority... who > > > > > > > come together under a global organization and work out a very > > > > tight > > > > > > > choreography for these refresh/hand-off operations. But this > > > > sounds > > > > > > > harder and no more likely to be created as one single > > authority > > > > such as > > > > > > > the UN imposing the requirements on all regions. > > > > > > > > > > > > > > I believe that the most critical point for global > > standardization > > > > and > > > > > > > what we must aim for (first) is the information in the record. > > > > When the > > > > > > > world has settled into that (something that will ALSO require > > a > > > > central > > > > > > > authority, but just for standardizing what the information > > > > elements > > > > > > > mean, not for choreographing complex record-merge operations), > > > > people > > > > > > > will gradually come around to the idea of moving to the next > > level > > > > of > > > > > > > system interoperability, with standard record structures. > > > > > > > > > > > > > > With only the information standardized globally, two large and > > > > > > > cooperative regions (say, US and Australia) could still choose > > to > > > > create > > > > > > > a US-Aus. information authority and orchestrate a high level > > of > > > > > > > interoperability for patients and providers floating anywhere > > > > within our > > > > > > > two countries. If the "functional regions" initially were > > more > > > > along > > > > > > > the sizes of counties and states, then we'd have a lot more > > hassle > > > > and > > > > > > > negotiating. So I would suggest the world start with the > > largest > > > > sized > > > > > > > regions that could be reasonably managed with the same EHR > > > > structure. > > > > > > > > > > > > > > The critical issue for all regional participants would be a > > > > strong, > > > > > > > competent regional authority... that operated in conformance > > to a > > > > set of > > > > > > > well defined "regional authority rules"... maintained by the > > UN?? > > > > > > > > > > > > > > Christopher J. Feahr, O.D. > > > > > > > Optiserv Consulting (Vision Industry) > > > > > > > Office: (707) 579-4984 > > > > > > > Cell: (707) 529-2268 > > > > > > > http //Optiserv.com > > > > > > > http //VisionDataStandard.org > > > > > > > ----- Original Message ----- > > > > > > > From: <lakewood at copper.net> > > > > > > > To: <openehr-technical at openehr.org> > > > > > > > Sent: Tuesday, August 05, 2003 12:11 AM > > > > > > > Subject: Distributed Records - An approach > > > > > > > > > > > > > > > > > > > > > > Hi All, > > > > > > > > > > > > > > > > With a background in fault tolerant computing I have a > > built-in > > > > > > > penchant for > > > > > > > > distributed files that are exact/backup copies of a master. > > > > Works > > > > > > > wonders > > > > > > > > for > > > > > > > > financial transactions. > > > > > > > > > > > > > > > > I don't believe that this model fits EHRs especially since > > one > > > > can > > > > > > > conceive > > > > > > > > of > > > > > > > > parallel, e.g., close proximity in time, operations directed > > at > > > > > > > > modifications > > > > > > > > originating at geographically distant locations.These > > > > operations, even > > > > > > > they > > > > > > > > occur > > > > > > > > across town (Clinic and distant Lab) create problems for > > record > > > > > > > management. > > > > > > > > > > > > > > > > Tying record management to physical location is not a > > solution. > > > > Remote > > > > > > > > medicine complicates this immediately. However, a constant > > > > occurs > > > > > > > > immediately, > > > > > > > > presuming that we do not have to deal with human clones (put > > a > > > > > > > <dash-number> > > > > > > > > in the ID). The Patient ID is it. Traditional approaches > > would > > > > require > > > > > > > that > > > > > > > > in all > > > > > > > > the world there is only one unique person being considered. > > > > > > > (hopefully). > > > > > > > > > > > > > > > > Hence each region could contain entries on residents, > > > > transients, > > > > > > > visitors. > > > > > > > > tourists, etc. that somehow make contact with healthcare > > > > > > > > facilities/Practitioners > > > > > > > > in the region. > > > > > > > > > > > > > > > > Registering the IDs and updating the regional databases > > requires > > > > that > > > > > > > only > > > > > > > > those > > > > > > > > regional Patients be administered. > > > > > > > > > > > > > > > > National and international databases can be established that > > > > will > > > > > > > receive > > > > > > > > and store > > > > > > > > regional registrations of Patient IDs, allowing one to scan > > > > these > > > > > > > databases > > > > > > > > to > > > > > > > > determine who holds regional records on individual Patients. > > One > > > > can > > > > > > > then > > > > > > > > retrieve all the records or part of them. This substantially > > > > reduces > > > > > > > the > > > > > > > > need for > > > > > > > > storage and bandwidth to manage records on a global scale. > > > > > > > > > > > > > > > > I presume that there is no need to have matching records for > > > > > > > individual > > > > > > > > Patients > > > > > > > > in all regions this Patient has been in an made contact with > > the > > > > > > > healthcare > > > > > > > > industry. If I take a cruise on the Rhine and require > > medical > > > > > > > attention it > > > > > > > > makes no > > > > > > > > sense to burden whatever region manages that healthcare > > system > > > > with > > > > > > > anything > > > > > > > > more than they had a tourist with a weak stomach. > > > > > > > > > > > > > > > > It would be nice to have a distributed registry that would > > show > > > > where > > > > > > > I had > > > > > > > > to > > > > > > > > stop off and get some help. At least the Public Health > > personnel > > > > would > > > > > > > > appreciate > > > > > > > > it. > > > > > > > > > > > > > > > > The important thing to me is to be able to access all the > > known > > > > > > > records and > > > > > > > > bundle them in a way that is appropriate for the healthcare > > > > personnel > > > > > > > > handling > > > > > > > > my latest complaints. > > > > > > > > > > > > > > > > BTW: The Fault Tolerant/Highly Available Systems can make > > sure > > > > that > > > > > > > the > > > > > > > > information requested is available but the applications have > > to > > > > > > > structure > > > > > > > > it. > > > > > > > > > > > > > > > > -Thomas Clark > > > > > > > > > > > > > > > > > > > > > > > > - > > > > > > > > If you have any questions about using this list, > > > > > > > > please send a message to d.lloyd at openehr.org > > > > > > > > > > > > > > - > > > > > > > If you have any questions about using this list, > > > > > > > please send a message to d.lloyd at openehr.org > > > > > > > > > > > > > > > > > > > - > > > > > > If you have any questions about using this list, > > > > > > please send a message to d.lloyd at openehr.org > > > > > > > > > > > > > > > - > > > If you have any questions about using this list, > > > please send a message to d.lloyd at openehr.org > > > > - > > If you have any questions about using this list, > > please send a message to d.lloyd at openehr.org > > - > If you have any questions about using this list, > please send a message to d.lloyd at openehr.org - If you have any questions about using this list, please send a message to d.lloyd at openehr.org
