As part of the American Recovery and Reinvestment Act passed in February, Congress has provided $19 billion to drive adoption of electronic health records (EHR) by physicians and other providers, and to get all parts of the healthcare system connected electronically. The legislation also sets forth a powerful new federal role in coordinating health IT standards and adoption. In some respects, the government will be trying to catch up with early adopters of EHR programs that are already reaping the benefits of an efficient, connected system; however, not all medical centers, hospitals, physicians, or labs are ready for what this sweeping new national agenda entails. Industry observers are emphasizing that in order to get this new paradigm right, laboratorians must be involved in all phases of the process—at the national and local levels, and especially in their own institutions—whether it be developing standards, or refitting their LIS to work better within the larger EHR framework.
As physicians’ offices, hospitals, and regional organizations come online and try to connect, truly interoperable EHRs hold the potential to improve healthcare, but will also represent a revolutionary step in the role of lab medicine, said Jay Jones, PhD, director of the chemistry and toxicology laboratories at Geisinger Medical Center in Danville, Pa. “Not just the provisions of this bill, but the infrastructure that will be installed will all touch the laboratory. This will rewire a lot of our processes, from order entry to result reporting.” Jones has worked with Geisinger as it has rolled out an EHR since 1995 to more than 800 providers in its regional system. “EHRs will enlarge the lab’s role, and make labs more a part of the medical enterprise. Labs are going to have to step out of their factory men-tality more and more to know what they are really providing their customers, be they patients, providers, payors, or the government.”
This Time, It’s Really Happening
Health IT and EHRs are not new. But large swaths of hospitals, medical centers, labs—and especially physicians—have been waiting for something more definitive before investing time and money in new IT products. Now with passage of the stimulus bill, a set of defined steps has been set into motion, ramping up pressure on providers to take a hard look at what’s going to be required of them.
“I think the biggest thing that the stimulus package does in this area is provide certainty,” said Janet Marchibroda, CEO of the eHealth Initiative, which works with government, nonprofit, and industry stakeholders to promote health IT adoption. “It says in 2011 Medicare will start providing bonuses, and in 2015 you’ll start being penalized if you don’t use EHRs. So that will move the market; it will move providers; and they’ll know that they need to start getting ready.” Under the bill, physicians can qualify for up to $44,000 in incentive payments beginning in 2011, while hospitals are eligible for payments of at least $11 million over a 4-year period. Beginning in 2015, physicians and hospitals face payment cuts if they don’t have an operable EHR system.
All of this eventually will put pressure on labs. The EHR systems that physicians and hospitals must adopt by definition likely will include test results. More importantly, a qualified EHR must include the capacity for clinical decision support, physician order entry, capture of healthcare quality data, and the functionality to connect with other systems. All these requirements of EHRs as laid out in the bill will significantly affect labs, said Marchibroda. The wealth of information in a lab’s LIS will be tapped not just for test results, but the EHR framework will be counting on richer data from the lab for other information needs as well. In order for labs to provide this, most can’t simply plug their LIS into a new system or network and hope for the best.
Building on What We Have
The health IT portion of the stimulus bill requires a lot from both providers and the government. One of the thorniest problems is how to get unique systems all over the country to talk to each other and exchange secure, meaningful data. In this area, work on standards has been ongoing since the Bush administration put together the American Health Information Community (AHIC), which has now transitioned to a public-private partnership know as the National eHealth Collaborative (NeHC). NeHC’s current goal is to lay out priorities for standards-making, and help keep the many stakeholders around EHRs on the same page.
The work of harmonizing the actual standards—such as code sets, specifications, and terminologies—currently belongs to another public-private partnership, the Health Information Technology Standards Panel (HITSP), which has already published interoperability specifications for EHR lab results reporting. HITSP is supposed to allow health IT vendors and providers to know if they’re on track to making their EHRs interoperable.
Finally, the Certification Commission for Healthcare Information Technology (CCHIT), a private non-profit recognized by HHS in 2006, reviews and certifies actual EHR software packages for physician offices and clinics, inpatient settings, and emergency departments. Their stamp of approval helps providers feel more confident in buying EHR products from vendors.
While CCHIT does not certify any products specifically for use in labs, all certified EHR systems must be able to receive lab results using defined standards. It’s up to each lab to make sure the information they send to an EHR matches up with the various codes and standards that the CCHIT-certified EHRs are required to use.
The New Plan
More than just injecting money to invest in EHRs and defining what an EHR should do, the stimulus bill also lays out a new framework that aims to make all of these organizations work more cohesively as providers try to wrap their heads around what they’re supposed to do. The new legislation looks like it will tackle most of the problems that have hampered widespread adoption until now, said Marchibroda. “When you look at the barriers to the adoption of health IT, they’ve really fallen into a handful of buckets: funding; getting agreement on and adopting standards; dealing with workflow issues; and then addressing concerns about privacy. The American Recovery and Reinvestment Act speaks to all four of those areas in a way that for the most part, people feel good about. There are diverse opinions on how to move this forward, and I would say that they were able to incorporate the ideas of many, which is a major feat.”
The design put forward under the stimulus bill will restructure the current web of standards groups and other stakeholder organizations, and will also put the federal government in a more powerful leadership role. The first deadline for revamping the current scheme is December 31 of this year. By that time, the secretary of HHS is expected to approve an initial set of EHR standards through a rulemaking process.
Before the secretary can adopt those initial standards, the bill creates two federal advisory committees that will have a hand in the process. The first will be called the HIT Policy Committee, and it will define what areas need to be covered and what the priorities are for covering them. “The Policy Committee should provide a roadmap for how all the pieces fit together,” said Marchibroda. “And then the standards work will fall out of that set of priorities. I think we’re going to see more in the way of coordination and planning with the heavy hand of federal government.” It’s possible that NeHC could be restructured to take on some elements of standards policy.
The second advisory group, known as the HIT Standards Committee, will take guidelines and priorities from the HIT Policy Committee and develop, harmonize, and recognize standards, implementation specifications, and certification criteria to allow the exchange of health information among discrete EHRs and other systems. Marchibroda noted that the language of the bill requires testing and evaluation of these standards, bolstering the government’s role in the process. In addition, the bill requires this committee to conduct open meetings and work transparently with opportunities for public comment.
What Are Labs Responsible For?
As laboratorians consider their role in making interoperable EHRs function properly, they’ll have to keep in mind their responsibilities not just to send the right data in the right way, but to continue to follow CLIA and HIPAA regulations while doing so. “The CLIA rules were written regardless of the means of communication the laboratory uses to report results,” said Judith Yost, MA, MT(ASCP), director of CMS’s division of laboratory services. “Results need to get to the individual who ordered the test or who is going to utilize those results, because obviously that’s the whole purpose we’re here. If someone orders a test, it has to get to the right place accurately, timely, and confidentially in order to facilitate good patient care.”
Other CLIA requirements that will need to be dealt with in the lab-EHR connection include specifications for the laboratory report. These can be formatted differently in an EHR, as long as it contains the same complete information, said Yost. Results must also arrive reliably. “Labs have to make sure that with each one of the stops that the information makes on the way to its final destination, what goes in comes out correctly. It doesn’t have to be in the exact same format, but the required elements have to be there and they have to be usable and timely.” The way CLIA is written, the lab is responsible for the result until it reaches the authorized person as defined by each state—the person who ordered the test or will use those results, such as the clinician responsible for treating the patient. With data entering EHRs via regional health information networks and other systems, the responsibility still will lie with labs to make sure data reaches its final destination intact and securely, and gets to the right person first before being shared with other providers.
Several workarounds currently exist. Some institutions have their own information system that will direct the result to the clinician, but the result must also be sent into a regional health information exchange so that it will be available to the patient at more than one site of care. In this circumstance, the lab would just have to make sure that it went to the intended clinician prior to going to the regional health information exchange. Alternatively, as the political and regulatory infrastructures are built up in accordance with health IT provisions in the stimulus bill, CCHIT or some other organization may be able to certify that any electronic intermediary that stands between the lab and the intended recipient are offering secure, CLIA and HIPAA-compliant protocols. Regardless of how each LIS connects to an EHR or regional health information exchange, laboratorians will need to understand the system their organization is using so they can follow through with their legal duty.
Similarly, the stimulus bill also included updates to HIPAA, which could mean labs will have to rework their privacy policies and examine how their IT systems will be affected, said Jason DuBois, vice president for government relations at the American Clinical Laboratory Association (ACLA). “They created a new breach provision and expanded some of the enforcement authority to go after violations. From what I know about violations that have taken place today, I think they have largely happened because accidents were made, and were not due to intentional violations. Very few cases have ever been referred to the Justice Department where people were really trying to use information maliciously. To now be expanding this authority for enforcement really flies in the face of what is really needed.” The bill also changes when an information breach is treated as discovered, and sets out new rules about patient access to protected health information that DuBois said could be unnecessarily burdensome for labs (See Box, p. 8).
Changes Ahead for HIPAA
The American Recovery and Reinvestment Act changes when an information breach is treated as discovered, and sets out new rules about patient access to protected health information that could add another burden for labs. Here’s a look at the most significant new language in the bill.
Notification in the Case of Breach—Requires that a covered entity or business associate notify each individual whose unsecured PHI has been accessed, acquired, or disclosed as a result of a breach.
Breaches Treated as Discovered—A breach is treated as discovered by a covered entity or by a business associate as of the first day on which the breach is known.
Requests for Restrictions on Disclosures—Requires covered entities to comply with requested restrictions on disclosures of PHI if such disclosures are to a healthcare plan for payment or healthcare operations and the PHI relates to healthcare services that the provider has been paid for by the individual out of the individual’s pocket.
Accounting of Protected Health Information Disclosures—Requires covered entities that use electronic health records with respect to PHI to account for disclosures relating to treatment, payment, and health care operations for 3 years prior to the date of the request. Under HIPAA, no accounting is required for treatment, payment, or health care operations, as those disclosures can be made without patient authorization.
Review of Health Care Operations—Directs the Secretary to narrow the definition of “healthcare operations” to exclude those activities that can reasonably and efficiently be conducted through the use of information that is de-identified or that should require a valid authorization for use or disclosure.
Prohibition on Sale of Electronic Health Records or Protected Health Information Obtained from Electronic Health Records—Prohibits the exchange of remuneration for any PHI without prior patient authorization, unless one of the enumerated exceptions is satisfied.
Access to Certain Information in Electronic Format—Requires that a covered entity provide access to PHI in an electronic format if the covered entity uses or maintains an electronic health record.
Tiered Increase in Amount of Civil Monetary Penalties—Establishes a tiered approach for applying civil money penalties for violations under HIPAA of $100 to $50,000 for each violation, and not to exceed $25,000 to $1,500,000 for the same violations within a calendar year, respectively.
Enforcement Through State Attorneys—Permits Attorneys General of a State to bring a civil action on behalf of residents of the State for violations under HIPAA.
A lot of the work to be done in implementing EHRs will fall under the purview of IT departments and vendors preparing the necessary software and support services. However, even with the most user-friendly and advanced software, laboratorians will need to be involved and understand the changes to their systems, said Jones. “In order to get the LIS to integrate order entry and result reporting from an HIS—or now even more broadly, an EHR—we have to rewire our LIS to meet the needs of the EHR. So providers are no longer going to order a lab test on the lab computer, they’re going to order it in an examining room by clicking on a best practice alert, or however the electronic system is set up, and that order will pass to the LIS.”
Outside of the obvious change from paper ordering and reports to an electronic system, labs will face challenges with EHRs that go beyond just plugging in to a larger network. “The short term priority for labs is really to get up to speed with the interoperability, and that’s not just an interface, but the actual operations between their computer system and the EHR that is coming into their enterprise. They’re going to really have to participate in the implementation. It’s going to impact the whole process once it’s driven by the EHR,” said Jones. “Inbound and outbound information from the laboratory is going to have to make sense to what the enterprise really needs in order to earn the incentives that the government is offering and make sure it’s built correctly. We’ll be maintaining our LIS, but that will be just a departmental system that holds scientific records. What we put out to the EHR will have to be a clinical record.”
Beginning with an implementation plan, labs will have to get comfortable with codes and standards that will require hands-on time by lab staff. “The laboratory can’t just sit in their factory and think: ‘Well, somebody in IT is hooking us up to the EHR.’ They need to be there participating in the process of that integration and that implementation,” Jones explained.
While most labs currently use the HL7 messaging standard to send results electronically, in order to provide the information necessary for a qualified EHR as defined in the stimulus bill, more will be required. One of the most important changes labs might have to make is using LOINC (Logical Observation Identifiers Names and Codes). LOINC codes identify and structure the content of a message that goes through the HL7 standard, something that will become increasingly important as providers set up EHRs and start connecting various departments, organizations, and government entities. While LOINC codes can be layered into an existing LIS, it’s not just a matter of popping in a CD and loading software. It will take time and effort by lab staff who understand their system to incorporate the codes and make them work for their unique institution, cautioned Pamela Banning, MT(ASCP), CLS(NCA), PMP (PMI), who serves on the LOINC committee. Banning is a healthcare data analyst for 3M HIS Terminology consulting service.
Banning describes LOINC as a prism: a single code contains six attributes of a single lab result, revealing each aspect of the result in a uniform way, the way white light breaks out to the spectrum colors. Each code represents a unique lab concept, defined by the analyte, property (ie, mass or substance concentration), timing, specimen, scale (format of the answer), and possibly the method of the result. The HL7 messaging standard ensures the receiving end of an electronic message can properly “digest” it and know exactly where to look for particular pieces of information. The LOINC code accompanies the local lab code in the HL7 message. As a result, lab data can be reliably collated and stored appropriately in data repositories. Secondary use of the coded data is also made available. For example, insurers and hospitals that report HEDIS measures have adopted LOINC, and increasingly labs will be under pressure to get their LIS LOINC-coded for this purpose as well.
Banning emphasized that incorporating LOINC into a LIS will require work by the lab to define the local test catalogue to vocabulary standards. Laboratorians also will need to educate themselves so they can be prepared to use LOINC correctly. Tutorials are available from the standards development organizations (Regenstrief Institute for LOINC), and AACC’s LISMI division, she said. “I think people are just starting to recognize all they’re going to need to know in order to make their lives easier when they get called in to participate on these projects.” The commitment extends to ongoing maintenance, as labs add new tests to their catalogues, and implement biannual LOINC version updates.
Labs and other providers still have some time to get a handle on this; however, even before EHRs are implemented nationwide, labs need to get involved very quickly with the governmental entities and other organizations that will be making decisions about standards and the like, said Jones. “I think the basic framework is there. There are approved products, there are standards—they’re not perfect, but they get the job done. But still it’s going to require mastery of those tools that are at an operational level. It isn’t something that IT can go into with ‘plug and play’ bravado and get the whole thing up and running without knowing the real application. So doctors, nurses, radiology techs, and laboratorians are going to have to be at the table to design the electronic process and in many cases reengineer their own operations to convert to the EHR.”
An Overview of the Health IT Framework
The current scheme of standards and policy organizations working on health IT is built on a public-private partnership model. The American Reinvestment and Recovery Act creates two new federal advisory committees: the HIT Policy Committee, and the HIT Standards Committee. The next step is to integrate the current framework under the federal advisory committee model, which will give greater control to the federal government, while at the same time ensuring a transparent process.
National eHealth Collaborative (NeHC)—NeHC inherited the mission of the American Health Information Community (AHIC), and it sets priorities for standards development and other interoperability initiatives.
Health Information Technology Standards Panel (HITSP)—HITSP harmonizes and integrates standards to promote information sharing among organizations and systems.
Certification Commission for Healthcare Information Technology (CCHIT)—A private, non-profit organization recognized by HHS, CCHIT reviews and certifies EHR software to make sure it meets the criteria for security, interoperability, and other factors.