Explain

APA format, in-text citation, reference include, 1 page

Explain why the two specific types of clinical and financial data you selected as your Big Data dataset would best affect behavior change in the type of co-morbid Medicare populations served in the scenario. Explain and assess how this Big Data dataset can change the behaviors of health care providers in the scenario. Assuming that your Big Data dataset is going to be shared in a regional health information exchange, explain how the Centers for Medicare and Medicaid Services and private payers might use these regional data sets to increase value in delivering services to co-morbid Medicare patient populations in the region

Use chapter 11 information to do this

Health_Care_Information_Systems_A_Practical_Approa…_—-_Part_Three_Laws_Regulations_and_Standards_That_Affect_Health_Care_Info….pdf

Part Three Laws, Regulations, and Standards That Affect Health Care Information Systems

Wager, Karen A.. Health Care Information Systems : A Practical Approach for Health Care Management, John Wiley & Sons, Incorporated, 2017. ProQuest Ebook Central, http://ebookcentral.proquest.com/lib/waldenu/detail.action?docID=7104515. Created from waldenu on 2024-01-08 19:58:36.

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

Chapter 9 Privacy and Security

Learning Objectives

To be able to distinguish among privacy, confidentiality, and security as they relate to health information.

To be able to identify the purpose of the Privacy Act of 1974 and 42 C.F.R. (Code of Federal Regulations) Part 2, Confidentiality of Substance Abuse Patient Records.

To be able to describe and discuss the impact of the HIPAA Privacy, Security, and Breach Notification rules.

To be able to identify threats to health care information and information systems caused by humans (intentional and unintentional), natural causes, and the environment.

To be able to understand the purpose and key components of the health care organization security program and the need to mitigate security risks.

To be able to discuss the increased need for and identify resources to improve cybersecurity in health care organizations.

Privacy is an individual's constitutional right to be left alone, to be free from unwarranted publicity, and to conduct his or her life without its being made public. In the health care environment, privacy is an individual's right to limit access to his or her health care information. In spite of this constitutional protection and other legislated protections discussed in this chapter, approximately 112 million Americans (a third of the United States population) were affected by breaches of protected health information (PHI) in 2015 (Koch, 2016). Three large insurance-related corporations accounted for nearly one hundred million records being exposed (Koch, 2016). In one well-publicized security breach at Banner Health, where hackers gained entrance through food and beverage computers, approximately 3.7 million individuals' information was accessed, much of it health information (Goedert, 2016).

Health information privacy and security are key topics for health care administrators. In today's ever-increasing electronic world, where the Internet of Things is on the horizon and nearly every health care organization employee and visitor has a smart mobile device that is connected to at least one network, new and more virulent

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

threats are an everyday concern. In this chapter we will examine and define the concepts of privacy, confidentiality, and security as they apply to health information. Major legislative efforts, historic and current, to protect health care information are outlined, with a focus on the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification rules. Different types of threats, intentional and unintentional, to health information will be discussed. Basic requirements for a strong health care organization security program will be outlined, and the chapter will conclude with the cybersecurity challenges in today's environment of mobile and cloud-based devices, wearable fitness trackers, social media, and remote access to health information.

Privacy, Confidentiality, and Security Defined As stated, privacy is an individual's right to be left alone and to limit access to his or her health care information. Confidentiality is related to privacy but specifically addresses the expectation that information shared with a health care provider during the course of treatment will be used only for its intended purpose and not disclosed otherwise. Confidentiality relies on trust. Security refers to the systems that are in place to protect health information and the systems within which it resides. Health care organizations must protect their health information and health information systems from a range of potential threats. Certainly, security systems must protect against unauthorized access and disclosure of patient information, but they must also be designed to protect the organization's IT assets—such as the networks,hardware, software, and applications that make up the organization's health care information systems—from harm.

Legal Protection of Health Information There are many sources for the legal and ethical requirements that health care professionals maintain the confidentiality of patient information and protect patient privacy. Ethical and professional standards, such as those published by the American Medical Association and other organizations, address professional conduct and the need to hold patient information in confidence. Accrediting bodies, such as the Joint Commission, state facility licensure rules, and the government through Centers for Medicare and Medicaid, dictate that health care organizations follow standard practice and state and federal laws to ensure the confidentiality and security of patient information.

Today, legal protection specially addressing the unauthorized disclosure of an individual's health information generally comes from one of three sources (Koch, 2016):

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

Federal HIPAA Privacy, Security, and Breach Notification rules

State privacy laws. These laws typically apply more stringent protections for information related to specific health conditions (HIV/AIDS, mental or reproductive health, for example).

Federal Trade Commission (FTC) Act consumer protection, which protects against unfair or deceptive practices. The FTC issued the Health Breach Notification Rule in 2010 to require certain businesses not covered by HIPAA, including PHR vendors, PHR-related entities, or third-party providers for PHR vendors or PHR-related entities to notify individuals of a security breach.

However, there are two other major federal laws governing patient privacy that, although they have been essentially superseded by HIPAA, remain important, particularly from a historical perspective.

The Privacy Act of 1974 (5 U.S.C. §552a; 45 C.F.R. Part 5b; OMB Circular No. A- 108 [1975])

Confidentiality of Substance Abuse Patient Records (42 U.S.C. §290dd- 2, 42 C.F.R. Part 2)

The Privacy Act of 1974 In 1966, the Freedom of Information Act (FOIA) was passed. This legislation provides the American public with the right to obtain informationfrom federal agencies. The act covers all records created by the federal government, with nine exceptions. The sixth exception is for personnel and medical information, “the disclosure of which would constitute a clearly unwarranted invasion of personal privacy.” There was, however, concern that this exception to the FOIA was not strong enough to protect federally created patient records and other health information. Consequently, Congress enacted the Privacy Act of 1974. This act was written specifically to protect patient confidentiality only in federally operated health care facilities, such as Veterans Administration hospitals, Indian Health Service facilities, and military health care organizations. Because the protection was limited to those facilities operated by the federal government, most general hospitals and other nongovernment health care organizations did not have to comply. Nevertheless, the Privacy Act of 1974 was an important piece of legislation, not only because it addressed the FOIA exception for patient information but also because it explicitly stated that patients had a right to access and amend their medical records. It also required facilities to maintain documentation of all disclosures. Neither of these things was standard practice at the time.

Confidentiality of Substance Abuse Patient Records

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

During the 1970s, people became increasingly aware of the extra-sensitive nature of drug and alcohol treatment records. This led to the regulations currently found in 42 C.F.R. (Code of Federal Regulations) Part 2, Confidentiality of Substance Abuse Patient Records. These regulations have been amended twice, with the latest version published in 1999. They offer specific guidance to federally assisted health care organizations that provide referral, diagnosis, and treatment services to patients with alcohol or drug problems. Not surprisingly, they set stringent release of information standards, designed to protect the confidentiality of patients seeking alcohol or drug treatment.

HIPAA HIPAA is the first comprehensive federal regulation to offer specific protection to private health information. Prior to the enactment of HIPAA there was no single federal regulation governing the privacy and security of patient-specific information, only the limited legislative protections previously discussed. These laws were not comprehensive and protected only specific groups of individuals.

The Health Insurance Portability and Accountability Act of 1996 consists of two main parts:

Title I addresses health care access, portability, and renewability, offering protection for individuals who change jobs or health insurance policies. (Although Title I is an important piece of legislation, it does not address health care information specifically and will therefore not be addressed in this chapter.)

Title II includes a section titled, “Administrative Simplification.” The requirements establishing privacy and security regulations for protecting individually identifiable health information are found in Title II of HIPAA. The HIPAA Privacy Rule was required beginning April 2003 and the HIPAA Security Rule beginning April 2005. Both rules were subsequently amended and the Breach Notification Rule was added as a part of the HITECH Act in 2009.

The information protected under the HIPAA Privacy Rule is specifically defined as PHI, which is information that

Relates to a person's physical or mental health, the provision of health care, or the payment for health care

Identifies the person who is the subject of the information

Is created or received by a covered entity

Is transmitted or maintained in any form (paper, electronic, or oral)

Unlike the Privacy Rule, the Security Rule addressed only PHI transmitted or maintained in electronic form. Within the Security Rule this information is identified

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

as ePHI.

The HIPAA rules also define covered entities (CEs), those organizations to which the rules apply:

Health plans, which pay or provide for the cost of medical care

Health care clearinghouses, which process health information (for example, billing services)

Health care providers who conduct certain financial and administrative transactions electronically (These transactions are defined broadly so that the reality of HIPAA is that it governs nearly all health care providers who receive any type of third-party reimbursement.)

If any CE shares information with others, it must establish contracts to protect the shared information. The HITECH Act amended HIPAA and added “Business Associates” as a category of CE. It further clarified that certain entities, such as health information exchange organizations, regional health information organizations, e-prescribing gateways, or a vendor that contracts with a CE to allow the CE to offer a personal health record as a part of its EHR, are business associates if they require access to PHI on a routine basis (Coppersmith, Gordon, Schermer, & Brokelman, PLC, 2012).

HIPAA Privacy Rule Although the HIPAA Privacy Rule is a comprehensive set of federal standards, it permits the enforcement of existing state laws that are more protective of individual privacy, and states are also free to pass more stringent laws. Therefore, health care organizations must still be familiar with their own state laws and regulations related to privacy and confidentiality.

The major components to the HIPAA Privacy Rule in its original form include the following:

Boundaries. PHI may be disclosed for health purposes only, with very limited exceptions.

Security. PHI should not be distributed without patient authorization unless there is a clear basis for doing so, and the individuals who receive the information must safeguard it.

Consumer control. Individuals are entitled to access and control their health records and are to be informed of the purposes for which information is being disclosed and used.

Accountability. Entities that improperly handle PHI can be charged under criminal law and punished and are subject to civil recourse as well.

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

Public responsibility. Individual interests must not override national priorities in public health, medical research, preventing health care fraud, and law enforcement in general.

With HITECH, the Privacy Rule was expanded to include creation of new privacy requirements for HIPAA-covered entities and business associates. In addition, the rights of individuals to request and obtain their PHI are strengthened, as is the right of the individual to prevent a health care organization from disclosing PHI to a health plan, if the individual paid in full out of pocket for the related services. There were also some new provisionsfor accounting of disclosures made through an EHR for treatment, payment, and operations (Coppersmith et al., 2012).

The HIPAA Privacy Rule attempts to sort out the routine and nonroutine use of health information by distinguishing between patient consent to use PHI and patient authorization to release PHI. Health care providers and others must obtain a patient's written consent prior to disclosure of health information for routine uses of treatment, payment, and health care operations. This consent is fairly general in nature and is obtained prior to patient treatment. There are some exceptions to this in emergency situations, and the patient has a right to request restrictions on the disclosure. However, health care providers can deny treatment if they feel that limiting the disclosure would be detrimental. Health care providers and others must obtain the patient's specific written authorization for all nonroutine uses or disclosures of PHI, such as releasing health records to a school or a relative.

Exhibit 9.1 is a sample release of information form used by a hospital, showing the following elements that should be present on a valid release form:

Patient identification (name and date of birth)

Name of the person or entity to whom the information is being released

Description of the specific health information authorized for disclosure

Statement of the reason for or purpose of the disclosure

Date, event, or condition on which the authorization will expire, unless it is revoked earlier

Statement that the authorization is subject to revocation by the patient or the patient's legal representative

Patient's or legal representative's signature

Signature date, which must be after the date of the encounter that produced the information to be released

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

Exhibit 9.1 Sample Release of Information Form

Source: © 2017 Medical University Hospital Authority. All rights reserved. This form is provided “as is” without any warranty, express or implied, as to its legal effect or completeness. Forms should be used as a guide and modified to meet the laws of your state. Use at your own risk.

Health care organizations need clear policies and procedures for releasing PHI. A central point of control should exist through which all nonroutine requests for information pass, and all disclosures should be well documented.

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

In some instances, PHI can be released without the patient's authorization. For example, some state laws require disclosing certain health information. It is always good practice to obtain a patient authorization prior to releasing information when feasible, but in state-mandated cases it is not required. Some examples of situations in which information might need to be disclosed to authorized recipients without the patient's consent are the presence of a communicable disease, such as AIDS and sexually transmitted diseases, which must be reported to the state or county department of health; suspected child abuse or adult abuse that must be reported to designated authorities; situations in which there is a legal duty to warn another person of a clear and imminent danger from a patient; bona fide medical emergencies; and the existence of a valid court order.

The HIPAA Security Rule The HIPAA Security Rule is closely connected to the HIPAA Privacy Rule. The Security Rule governs only ePHI, which is defined as protected health information maintained or transmitted in electronic form. It is important to note that the Security Rule does not distinguish between electronic forms of information or between transmission mechanisms. ePHI may be stored in any type of electronic media, such as magnetic tapes and disks, optical disks, servers, and personal computers. Transmission may take place over the Internet or on local area networks (LANs), for example.

The standards in the final rule are defined in general terms, focusing on what should be done rather than on how it should be done. According to the Centers for Medicare and Medicaid Services (CMS, 2004), the final rule specifies “a series of administrative, technical, and physical security procedures for covered entities to use to assure the confidentiality of electronic protected health information (ePHI). The standards are delineated into either required or addressable implementation specifications.” A required specification must be implemented by a CE for that organization to be in compliance. However, the CE is in compliance with an addressable specification if it does any one of the following:

Implements the specification as stated

Implements an alternative security measure to accomplish the purposes of the standard or specification

Chooses not to implement anything, provided it can demonstrate that the standard or specification is not reasonable and appropriate and that the purpose of the standard can still be met; because the Security Rule is designed to be technology neutral, this flexibility was granted for organizations that employ nonstandard technologies or have legitimate reasons not to need the stated specification (AHIMA, 2003)

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

The standards contained in the HIPAA Security Rule are divided into sections, or categories, the specifics of which we outline here. You will notice overlap among the sections. For example, contingency plans are covered under both administrative and physical safeguards, and access controls are addressed in several standards and specifications.

The HIPAA Security Rule The HIPAA Security Administrative Safeguards section of the Final Rule contains nine standards:

1. 1. Security management functions. This standard requires the CE to implement policies and procedures to prevent, detect, contain, and correct security violations. There are four implementation specifications for this standard:

Risk analysis (required). The CE must conduct an accurate and thorough assessment of the potential risks to and vulnerabilities of the confidentiality, integrity, and availability of ePHI.

Risk management (required). The CE must implement security measures that reduce risks and vulnerabilities to a reasonable and appropriate level.

Sanction policy (required). The CE must apply appropriate sanctions against workforce members who fail to comply with the CE's security policies and procedures.

Information system activity review (required). The CE must implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.

2. Assigned security responsibility. This standard does not have any implementation specifications. It requires the CE to identify the individual responsible for overseeing development of the organization's security policies and procedures.

3. Workforce security. This standard requires the CE to implement policies and procedures to ensure that all members of its workforce have appropriate access to ePHI and to prevent those workforce members who do not have access from obtaining access. There are three implementation specifications for this standard:

Authorization and/or supervision (addressable). The CE must have a process for ensuring that the workforce working with ePHI has adequate authorization and supervision.

Workforce clearance procedure (addressable). There must be a process to determine what access is appropriate for each workforce member.

Termination procedures (addressable). There must be a process for

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

terminating access to ePHI when a workforce member is no longer employed or his or her responsibilities change.

4. Information access management. This standard requires the CE to implement policies and procedures for authorizing access to ePHI. There are three implementation specifications within this standard. The first (not shown here) applies to health care clearinghouses, and the other two apply to health care organizations:

Access authorization (addressable). The CE must have a process for granting access to ePHI through a workstation, transaction, program, or other process.

Access establishment and modification (addressable). The CE must have a process (based on the access authorization) to establish, document, review, and modify a user's right to access a workstation, transaction, program, or process.

5. Security awareness and training. This standard requires the CE to implement awareness and training programs for all members of its workforce. This training should include periodic security reminders and address protection from malicious software, log-in monitoring, and password management. (These items to be addressed in training are all listed as addressable implementation specifications.)

6. Security incident reporting. This standard requires the CE to implement policies and procedures to address security incidents.

7. Contingency plan. This standard has five implementation specifications: Data backup plan (required)

Disaster recovery plan (required)

Emergency mode operation plan (required)

Testing and revision procedures (addressable); the CE should periodically test and modify all contingency plans

Applications and data criticality analysis (addressable); the CE should assess the relative criticality of specific applications and data in support of its contingency plan

8. Evaluation. This standard requires the CE to periodically perform technical and nontechnical evaluations in response to changes that may affect the security of ePHI.

9. Business associate contracts and other arrangements. This standard outlines the conditions under which a CE must have a formal agreement with business associates in order to exchange ePHI.

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

The HIPAA Security Physical Safeguards section contains four standards: 1. Facility access controls. This standard requires the CE to implement policies

and procedures to limit physical access to its electronic information systems and the facilities in which they are housed to authorized users. There are four implementation specifications with this standard:

Contingency operations (addressable). The CE should have a process for allowing facility access to support the restoration of lost data under the disaster recovery plan and emergency mode operation plan.

Facility security plan (addressable). The CE must have a process to safeguard the facility and its equipment from unauthorized access, tampering, and theft.

Access control and validation (addressable). The CE should have a process to control and validate access to facilities based on users' roles or functions.

Maintenance records (addressable). The CE should have a process to document repairs and modifications to the physical components of a facility as they relate to security.

2. Workstation use. This standard requires the CE to implement policies and procedures that specify the proper functions to be performed and the manner in which those functions are to be performed on a specific workstation or class of workstation that can be used to access ePHI and that also specify the physical attributes of the surroundings of such workstations.

2. Workstation security. This standard requires the CE to implement physical safeguards for all workstations that are used to access ePHI and to restrict access to authorized users.

3. Device and media controls. This standard requires the CE to implement policies and procedures for the movement of hardware and electronic media that contain ePHI into and out of a facility and within a facility. There are four implementation specifications with this standard:

Disposal (required). The CE must have a process for the final disposition of ePHI and of the hardware and electronic media on which it is stored.

Media reuse (required). The CE must have a process for removal of ePHI from electronic media before the media can be reused.

Accountability (addressable). The CE must maintain a record of movements of hardware and electronic media and any person responsible for these items.

Data backup and storage (addressable). The CE must create a retrievable, exact copy of ePHI, when needed, before movement of equipment.

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

The HIPAA Security Technical Safeguards section has five standards: 1. Access control. This standard requires the CE to implement technical policies

and procedures for electronic information systems that maintain ePHI in order to allow access only to those persons or software programs that have been granted access rights as specified in the administrative safeguards. There are four implementation specifications within this standard:

Unique user identification (required). The CE must assign a unique name or number for identifying and tracking each user's identity.

Emergency access procedure (required). The CE must establish procedures for obtaining necessary ePHI in an emergency.

Automatic log-off (addressable). The CE must implement electronic processes that terminate an electronic session after a predetermined time of inactivity.

Encryption and decryption (addressable). The CE should implement a mechanism to encrypt and decrypt ePHI as needed.

2. Audit controls. This standard requires the CE to implement hardware, software, and procedures that record and examine activity in the information systems that contain ePHI.

3. Integrity. This standard requires the CE to implement policies and procedures to protect ePHI from improper alteration or destruction.

4. Person or entity authentication. This standard requires the CE to implement procedures to verify that a person or entity seeking access to ePHI is in fact the person or entity claimed.

5. Transmission security. This standard requires the CE to implement technical measures to guard against unauthorized access to ePHIbeing transmitted across a network. There are two implementation specifications with this standard:

Integrity controls (addressable). The CE must implement security measures to ensure that electronically transmitted ePHI is not improperly modified without detection.

Encryption (addressable). The CE should encrypt ePHI whenever it is deemed appropriate.

The Policies, Procedures, and Documentation section has two standards:

1. Policies and procedures. This standard requires the CE to establish and implement policies and procedures to comply with the standards, implementation specifications, and other requirements.

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

2. Documentation. This standard requires the CE to maintain the policies and procedures implemented to comply with the Security Rule in written form. There are three implementation specifications:

Time limit (required). The CE must retain the documentation for six years from the date of its creation or the date when it was last in effect, whichever is later.

Availability (required). The CE must make the documentation available to those persons responsible for implementing the policies and procedures.

Updates (required). The CE must review the documentation periodically and update it as needed.

HIPAA Breach Notification Rule The HIPAA Breach Notification Rule requires CEs and their business associates to provide notification following a breach of unsecured protected health information. “‘Unsecured’ PHI is PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in guidance” (US Department of Health and Human Services, n.d.c). To meet the requirement of “secured” PHI, it must have been encrypted using a valid encryption process, or the media on which the PHI is stored have been destroyed. Paper or other hard copy media, such as film, must be shredded or otherwise destroyed so that it cannot be read or reconstructed. Electronic media must be “sanitized” according to accepted standards so that PHI cannot be retrieved (US Department of Health and Human Services, n.d.c).

The notification requirements include, depending on the circumstances, notification to these sources:

Individuals affected

The Health and Human Services Secretary (via the Office for Civil Rights [OCR])

Major media outlets

All individuals affected by breaches of unsecured PHI must be notified within a reasonable length of time—less than sixty days—after the breach is discovered. If the CE does not have sufficient information to contact ten or more individuals directly, the notification must be made on the home page of its website for at least ninety days or by a major media outlet. A CE that experiences a breach involving five hundred or more individuals must, in addition to sending individual notices, provide notice to a major media outlet serving the area. This notification must also be made within sixty days. All breaches must also be reported to the secretary of HHS; the breaches involving more than five hundred individuals must be reported within sixty days; all others may be reported on an annual basis (US Department of Health and

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

Human Services, n.d.b).

HIPAA Enforcement and Violation Penalties The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for enforcing HIPAA Privacy and Security rules. In addition, HITECH gave state attorneys general the authority to bring civil actions on behalf of the residents of their states for HIPAA violations. From April 2003 until May 2016, OCR has received over 134,000 HIPAA complaints and has initiated 879 compliance reviews. The resolution of the complaints and reviews is as follows (US Department of Health and Human Services, 2016):

Settled thirty-five cases resulting in $36,639,200 in penalties

Resolved 24,241 cases by requiring a change in privacy practices and corrective actions by, or providing technical assistance to, CEs or business associates

Identified 11,018 cases as no violation and 79,865 cases as non-eligible

HIPAA criminal and civil penalties for noncompliance are applied using a tiered schedule that ranges from $100 for a single violation, when the individual did not know he or she was not in compliance, to $1,500,000 for multiple violations because of willful neglect. It is important to note that civil penalties cannot be levied in situations when the violation is corrected within a specified period of time.

The structure for HIPAA violations reflect four categories of violations and associated penalties. Table 9.1 outlines the categories and penalties.

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

Table 9.1 HIPAA violation categories Source: What are the penalties for HIPAA violations? (2015).

Violation Category Category Fine*

Category 1: A violation that the CE was unaware of, and could not have realistically avoided, had a reasonable amount of care been taken to abide by HIPAA rules

Minimum fine of $100 per violation up to $50,000

Category 2: A violation that the CE should have been aware of but could not have avoided even with a reasonable amount of care (but falling short of willful neglect of HIPAA rules)

Minimum fine of $1,000 per violation up to $50,000

Category 3: A violation suffered as a direct result of “willful neglect” of HIPAA rules, in cases in which an attempt has been made to correct the violation

Minimum fine of $10,000 per violation up to $50,000

Category 4: A violation of HIPAA rules constituting willful neglect, and no attempt has been made to correct the violation

Minimum fine of $50,000 per violation

*The fines are issued per violation category, per year that the violation was allowed to persist. The maximum fine per violation category, per year, is $1,500,000.

In addition to these civil penalties, a HIPAA violation may result in criminal charges. The criminal penalties are divided into the following three tiers (What are the penalties for HIPAA violations, 2015):

Tier 1: Reasonable cause or no knowledge of violation—Up to one year in jail

Tier 2: Obtaining PHI under false pretenses—Up to five years in jail

Tier 3: Obtaining PHI for personal gain or with malicious intent—Up to ten years in jail

As stated, most HIPAA violations are resolved with corrective action. In 2015 six financial penalties were issued. However, a serious violation can cost a health care organization a significant about of money. One such case resulting in a substantial financial settlement is outlined in the Perspective. The top ten largest fines levied for HIPAA violations as of August 2016 are listed in Table 9.2.

Table 9.2 Top ten largest fines levied for HIPAA violations as of August 2016 Source: Bazzoli (2016).

Organization Individuals Affected

Fine Awarded ($

Data Awarded

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

million) Advocate Health Care: Lacked appropriate safeguards, including an unencrypted laptop was left in a vehicle overnight

4 million 5.55 August 2016

New York Presbyterian Hospital and Columbia University: PHI accessible on Google and other search engines

6,800 4.8 May 2014

Cignet Health: Did not allow patients access to medical records and refused to cooperate with OCR

41 4.3 February 2011

Feinstein Institute for Medical Research: Lacked appropriate safeguards leading to theft

Unknown 3.9 March 2016

Triple-S Management Corp (Blue Cross/Blue Shield licensee in Puerto Rico): Did not deactivate user IDs and passwords, allowing previous employees to access PHI

398,000 3.5 November 2015

University of Mississippi Medical Center: Did not manage risks appropriately, although aware of risks and vulnerabilities

10,000 2.75 July 2016

Oregon Health & Science University: Lacked safeguards with regards to stolen laptop and used cloud storage without a business associate agreement in place

7,000 2.7 July 2016

CVS Pharmacy: Improperly disposed of PHI such as prescription labels

Unknown 2.25 January 2009

New York Presbyterian Hospital: Allowed filming of two patients for a TV series creating the potential for PHI to be compromise. (Note: Hospital continues to maintain it was not a violation.)

Unknown 2.2 April 2016

Concentra Health Services: Failed to remediate an identified lack of encryption after an unencrypted laptop was stolen

870 1.73 April 2014

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

Perspective $750,000 HIPAA Settlement Underscores the Need for Organization-Wide Risk Analysis

The University of Washington Medicine (UWM) has agreed to settle charges that it potentially violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule by failing to implement policies and procedures to prevent, detect, contain, and correct security violations. UWM is an affiliated covered entity, which includes designated health care components and other entities under the control of the University of Washington, including University of Washington Medical Center, the primary teaching hospital of the University of Washington School of Medicine. Affiliated covered entities must have in place appropriate policies and processes to assure HIPAA compliance with respect to each of the entities that are part of the affiliated group. The settlement includes a monetary payment of $750,000, a corrective action plan, and annual reports on the organization's compliance efforts.

The US Department of Health and Human Services Office for Civil Rights (OCR) initiated its investigation of the UWM following receipt of a breach report on November 27, 2013, which indicated that the electronic protected health information (e-PHI) of approximately 90,000 individuals was accessed after an employee downloaded an email attachment that contained malicious malware. The malware compromised the organization's IT system, affecting the data of two different groups of patients: (1) approximately 76,000 patients involving a combination of patient names, medical record numbers, dates of service, and/or charges or bill balances; and (2) approximately 15,000 patients involving names, medical record numbers, other demographics such as address and phone number, dates of birth, charges or bill balances, Social Security numbers, insurance identification or Medicare numbers.

OCR's investigation indicated UWM's security policies required its affiliated entities to have up-to-date, documented system-level risk assessments and to implement safeguards in compliance with the Security Rule. However, UWM did not ensure that all of its affiliated entities were properly conducting risk assessments and appropriately responding to the potential risks and vulnerabilities in their respective environments.

Source: HHS.gov (2015). Used with permission.

Threats to Health Care Information

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

http://HHS.gov

What are the threats to health care information systems? In general, threats to health care information systems fall into one of these three categories:

Human tampering threats

Natural and environmental threats, such as floods and fire

Environmental factors and technology malfunctions, such as a drive that fails and has no backup or a power outage

Threats to health care information systems from human beings can be intentional or unintentional. They can be internal, caused by employees, or external, caused by individuals outside the organization.

Intentional threats include knowingly disclosing patient information without authorization, theft, intentional alteration of data, and intentional destruction of data. The culprit could be a computer hacker, a disgruntled employee, or a prankster. Cybercrime directed at health information systems has increased significantly in recent years. In the 2014–2015 two-year period, more than 90 percent of health care organizations reported a health information security breach, and of these reports, nearly half were because of criminal activity (Koch, 2016). Intentional destruction or disruption of health care information is generally caused by some form of malware, a general term for software that is written to “infect” and subsequently harm a host computer system. The best-known form of malware is the computer virus, but there are others, including the particularly virulent ransomware, attacks from which are on the rise in health care.

The following list includes common forms of malware with a brief description of each (Comodo, 2014):

Viruses are generally spread when software is shared among computers. It is a “contagious” piece of software code that infects the host system and spreads itself.

Trojans (or Trojan Horses) are a type of virus specifically designed to look like a safe program. They can be programmed to steal personal information or to take over the resources of the host computer making it unavailable for its intended use.

Spyware tracks Internet activities assisting the hacker in gathering information without consent. Spyware is generally hidden and can be difficult to detect.

Worms are software code that replicates itself and destroys files that are on the host computer, including the operating system.

Ransomware is an advanced form of malware that hackers use to cripple the organization's computer systems through malicious code, generally launched via an e-mail that is opened unwittingly by an employee, a method known as

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

phishing. The malicious code then encrypts and locks folders and operating systems. The hacker demands money, generally in the form of bitcoins, a type of digital currency, to provide the decryption key to unlock the organization's systems (Conn, 2016).

Some of the causes of unintentional health information breaches are lack of training in proper use of the health information system or human error. Users may unintentionally share patient information without proper authorization. Other examples include users sharing passwords or downloading information from nonsecure Internet sites, creating the potential for a breach in security. Some of the more common forms of internal breaches of security across all industries are the installation or use of unauthorized software, use of the organization's computing resources for illegal or illicit communications or activities (porn surfing, e-mail harassment, and so forth), and the use of the organization's computing resources for personal profit. Losing or improperly disposing of electronic devices, including computers and portable electronic devices, also constitute serious forms of unintentional health information exposure. In 2015, the OCR portal, which lists breach incidents potentially affecting five hundred or more individuals, reported more than seventy-five thousand individuals' data were breached either because of loss or improper disposal of a device containing PHI (OCR, n.d.).

Threats from natural causes, such as fire or flood, are less common than human threats, but they must also be addressed in any comprehensive health care information security program. Loss of information because of environmental factors and technical malfunctions must be secured against by using appropriate safeguards.

The Health Care Organization's Security Program The realization of any of the threats discussed in the previous section can cause significant damage to the organization. Resorting to manual operations if the computers are down for days, for example, can lead to organizational chaos. Theft or loss of organizational data can lead to litigation by the individuals harmed by the disclosure of the data and HIPAA violations. Malware can corrupt databases, corruption from which there may be no recovery. The function of the health care organization's security program is to identify potential threats and implement processes to remove these threats or mitigate their ability to cause damage. The primary challenge of developing an effective security program in a health care organization is balancing the need for security with the cost of security. An organization does not know how to calculate the likelihood that a hacker will cause serious damage or a backhoe will cut through network cables under the street. The organization may not fully understand the consequences of being without its network

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

for four hours or four days. Hence, it may not be sure how much to spend to remove or reduce the risk.

Another challenge is maintaining a satisfactory balance between health care information system security and health care data and information availability. As we saw in Chapter Two, the major purpose of maintaining health information and health records is to facilitate high-quality care for patients. On the one hand, if an organization's security measures are so stringent that they prevent appropriate access to the health information needed to care for patients, this important purpose is undermined. On the other hand, if the organization allows unrestricted access to all patient-identifiable information to all its employees, the patients' rights to privacy and confidentiality would certainly be violated and the organization's IT assets would be at considerable risk.

The ONC (2015) publication Guide to Privacy and Security of Electronic Health Information for health care providers includes a chapter describing a seven-step approach for implementing a security management process. The guidance is directed at physician practices or other small health care organizations, and it does not include specific technical solutions. Specific solutions for security protection will be driven by the organization's overall plan and will be managed by the organizations IT team. Larger organizations must also develop comprehensive security programs and will follow the same basic steps, but it will likely have more internal resources for security than smaller practices.

Each step in the ONC security management process for health care providers is listed in the following section.

Step 1: Lead Your Culture, Select Your Team, and Learn This step includes six actions:

1. Designate a security officer, who will be responsible for developing and implementing the security practices to meet HIPAA requirements and ensure the security of PHI.

2. Discuss HIPAA security requirements with your EHR developer to ensure that your system can be implemented to meet the security requirements of HIPAA and Meaningful Use.

3. Consider using a qualified professional to assist with your security risk analysis. The security risk analysis is the opportunity to discover as much as possible about risks and vulnerabilities to health information within the organization.

4. Use tools to preview your security risk analysis. Examples of available tools are listed within Step 3.

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

5. Refresh your knowledge base of the HIPAA rules.

6. Promote a culture of protecting patient privacy and securing patient information. Make sure to communicate that all members of the organization are responsible for protecting patient information.

Step 2: Document Your Process, Findings, and Actions Documenting the processes for risk analysis and implementation of safeguards is very important, not to mention a requirement of HIPAA. The following are some examples cited by the ONC of records to retain:

Policies and procedures

Completed security checklists (ESET, n.d.)

Training materials presented to staff members and volunteers and any associated certificates of completion

Updated business associate (BA) agreements

Security risk analysis report

EHR audit logs that show utilization of security features and efforts to monitor users' actions

Risk management action plan or other documentation that shows appropriate safeguards are in place throughout your organization, implementation timetables, and implementation notes

Security incident and breach information

Step 3: Review Existing Security of ePHI (Perform Security Risk Analysis) Risk analysis assesses potential threats and vulnerabilities to the “confidentiality, integrity and availability” (ONC, 2015, p. 41) of PHI. Several excellent government- sponsored guides and toolsets available for conducting a comprehensive risk analysis are listed in Table 9.3 with a corresponding web address.

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

Table 9.3 Resources for conducting a comprehensive risk analysis

OCR's Guidance on Risk Analysis Requirements under the HIPAA Rule

http://www.hhs.gov/hipaa/for- professionals/security/guidance/final- guidance-risk-analysis/index.html

OCR Security Rule Frequently Asked Questions (FAQs)

http://www.hhs.gov/hipaa/for- professionals/faq

ONC SRA (Security Risk Assessment) Tool for small practices

https://www.healthit.gov/providers- professionals/security-risk-assessment

National Institute of Standards and Technology (NIST) HIPAA Security Rule Toolkit

https://scap.nist.gov/hipaa/

The three basic actions recommended for the organization's first comprehensive security risk analysis are as follows:

1. Identify where ePHI exists.

2. Identify potential threats and vulnerabilities to ePHI.

3. Identify risks and their associated levels.

Step 4: Develop an Action Plan As discussed, the HIPAA Security Plan provides flexibility in how to achieve compliance, which allows an organization to take into account its specific needs. The action plan should include five components. Once in place, the plan should be reviewed regularly by the security team, led by the security officer.

1. Administrative safeguards

2. Physical safeguards

3. Technical safeguards

4. Organizational standards

5. Policies and procedures

Table 9.4 lists common examples of vulnerabilities and mitigation strategies that could be employed.

Table 7.4 Common examples of vulnerabilities and mitigation strategies Source: ONC (2015).

Security Component

Examples of Vulnerabilities Examples of Security Mitigation Strategies

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

http://www.hhs.gov/hipaa/for-professionals/security/guidance/final-guidance-risk-analysis/index.html

http://www.hhs.gov/hipaa/for-professionals/faq

https://www.healthit.gov/providers-professionals/security-risk-assessment

https://scap.nist.gov/hipaa/

Administrative safeguards

No security officer is designated. Workforce is not trained or is unaware of privacy and security issues.

Security officer is designated and publicized. Workforce training begins at hire and is conducted on a regular and frequent basis. Security risk analysis is performed periodically and when a change occurs in the practice or the technology.

Physical safeguards

Facility has insufficient locks and other barriers to patient data access. Computer equipment is easily accessible by the public. Portable devices are not tracked or not locked up when not in use.

Building alarm systems are installed. Offices are locked. Screens are shielded from secondary viewers.

Technical safeguards

Poor controls enable inappropriate access to EHR. Audit logs are not used enough to monitor users and other HER activities. No measures are in place to keep electronic patient data from improper changes. No contingency plan exists. Electronic exchanges of patient information are not encrypted or otherwise secured.

Secure user IDs, passwords, and appropriate role-based access are used. Routine audits of access and changes to EHR are conducted. Anti-hacking and anti-malware software is installed. Contingency plans and data backup plans are in place. Data are encrypted.

Organizational standards

No breach notification and associated policies exist. BA agreements have not been updated in several years.

Regular reviews of agreements are conducted and updates made accordingly.

Policies and procedures

Generic written policies and procedures to ensure HIPAA security compliance were purchased but not followed. The manager performs ad hoc security measures.

Written policies and procedures are implemented and staff members are trained. Security team conducts monthly review of user activities. Routine updates are made to document security measures.

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

Step 5: Manage and Mitigate Risks The security plan will reduce risk only if it is followed by all employees in the organization. This step has four actions associated with it.

1. Implement your plan.

2. Prevent breaches by educating and training your workforce.

3. Communicate with patients.

4. Update your BA contracts.

Step 6: Attest for Meaningful Use Security Related Objective Organizations can attest to the EHR Incentive Program security-related objective after the security risk analysis and correction of any identified deficiencies.

Step 7: Monitor, Audit, and Update Security on an Ongoing Basis The security officer, IT administrator, and EHR developer should work together to ensure that the organization's monitoring and auditing functions are active and configured appropriately. Auditing and monitoring are necessary to determine the adequacy and effectiveness of the security plan and infrastructure, as well as the “who, what, when, where and how” (ONC, 2015, p. 54) patients' ePHI is accessed.

Beyond HIPAA: Cybersecurity for Today's Wired Environment Clearly, HIPAA is an important legislative act aimed at protecting health data and information. However, in today's increasingly wired environment, health care organizations face threats that were not present when HIPAA was enacted. In June 2016, 41 percent of all data breaches were because of cybercrime—hacking. In July of the same year a single hacker was responsible for 30 percent of the health care data breached (Sullivan, 2016). Experts argue that health care organizations are easy targets for cybercriminals because they are inadequately prepared. The average health care provider spends less than 6 percent of its total IT budget on security, compared to the government, which spends 16 percent, and the banking industry, which spends between 12 and 15 percent. By one estimate the increase in cybercrime against health care organizations is because of, at least in part, PHI's value on the black market, estimating that PHI is fifty times more valuable than financial information (Koch, 2016; Siwicki, 2016).

The reality of today's environment is that there are more entry points into health care information networks and computers than ever before. Mobile devices, cloud use,

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

the use of smart consumer products, health care devices with Internet connectivity, along with more employees connecting to health care networks from remote locations create an increased need for cybersecurity in health care organizations. One recent survey found that among medical students and physicians 93.7 percent owned smartphones and 82.9 percent had used them in a clinical setting. Perhaps the most surprising aspect of the survey was that none of respondents believed using the devices increased risk of breaching patient information (Buchholz, Perry, Weiss, & Cooley, 2016).

So-called mHealth technologies, which include entities that support personal health records and cloud-based or mobile applications that collect patient information directly from patients or allow uploading of health-related data from wearable devices, are also on the rise, as is the use of health-related social media sites. These technologies were not addressed in HIPAA and, therefore, do not meet the criteria as a CE (DeSalvo & Samuels, 2016).

To provide assistance to health care organizations to combat cyber attacks and improve cybersecurity, the ONC (n.d.) published the Top 10 Tips for Cybersecurity in Health Care. The first tip reminds health care organizations to establish a security culture, the same initial tip in their guidance for developing a security plan, clearly emphasizing the importance of this aspect of any security program. The other tips in the publication contain some more specific ways to mitigate the threat from cyber attacks. These tips are listedwith specific checkpoints to ensure security (ONC, n.d.). The full version of the top-ten document is available at HealthIT.gov.

Protect Mobile Devices Ensure your mobile devices are equipped with strong authentication and access controls.

Ensure laptops have password protection.

Enable password protection on handheld devices (if available). Take extra physical control precautions over the device if password protection is not provided.

Protect wireless transmissions from intrusion.

Do not transmit unencrypted PHI across public networks (e.g., Internet, Wi-Fi).

When it is absolutely necessary to commit PHI to a mobile device or remove a device from a secure area, encrypt the data.

Do not use mobile devices that cannot support encryption.

Develop and enforce policies specifying the circumstances under which devices may be removed from the facility.

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

http://HealthIT.gov

Take extra care to prevent unauthorized viewing of the PHI displayed on a mobile device.

Maintain Good Computer Habits Uninstall any software application that is not essential to running the practice (e.g., games, instant message clients, photo-sharing tools).

Do not simply accept defaults or “standard” configurations when installing software.

Find out whether the EHR developer maintains an open connection to the installed software (a “back door”) in order to provide updates and support.

Disable remote file sharing and remote printing within the operating system (e.g., Windows Operating System).

Automate software updates to occur weekly (e.g., use Microsoft Windows Automatic Update).

Monitor for critical and urgent patches and updates that require immediate attention and act on them as soon as possible.

Disable user accounts for former employees quickly and appropriately.

If an employee is to be involuntarily terminated, close access to the account before the notice of termination is served.

Prior to disposal, sanitize computers and any other devices that have had data stored on them.

Archive old data files for storage if needed or clean them off the system if not needed, subject to applicable data retention requirements.

Fully uninstall software that is no longer needed (including trial software and old versions of current software).

Work with your IT team or other resources to perform malware, vulnerability, configuration, and other security audits on a regular basis.

Use a Firewall Unless your electronic health record (EHR) and other systems are totally disconnected from the Internet, you must install a firewall to protect against intrusions and threats from outside sources.

Larger health care organizations that use a local area network (LAN) should consider a hardware firewall.

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

Install and Maintain Antivirus Software Use an antivirus product that provides continuously updated protection against viruses, malware, and other code that can attack your computers through web downloads, CDs, e-mail, and flash drives.

Keep antivirus software up-to-date. Most antivirus software automatically generates reminders about these updates, and many are configurable to allow for automated updating.

Plan for the Unexpected Create data backups regularly and reliably. Begin backing up data from day one of a new system.

Ensure the data are being captured correctly.

Ensure the data can be quickly and accurately restored.

Use an automated backup system, if possible.

Consider storing the backup far away from the main system.

Protect backup media with the same type of access controls described in the next section.

Test backup media regularly for their ability to restore data properly, especially as the backups age.

Have a sound recovery plan. Know the following:

What data was backed up (e.g., databases, pdfs, tiffs, docs)

When the backups were done (time frame and frequency)

Where the backups are stored

What types of equipment are needed to restore them

Keep the recovery plan securely at a remote location where someone has responsibility for producing it in the event of an emergency.

Control Access to PHI Configure your EHR system to grant PHI access only to people with a “need to know.”

This access control system might be part of an operating system (e.g., Windows), built into a particular application (e.g., an e-prescribing module), or both.

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

Manually set file access permissions using an access control list. This can only be done by someone with authorized rights to the system.

Prior to setting these permissions, identify which files should be accessible to which staff members.

Configure role-based access control as needed.

In role-based access, a staff member's role within the organization (e.g., physician, nurse, billing specialist, etc.) determines what information may be accessed.

Assign staff members to the correct roles and then set the access permissions for each role correctly on a need-to-know basis.

The following case on access control provides additional examples of access control.

Case Study Access Control

Mary Smith is the director of the health information management department in a hospital. Under a user-based access control scheme, Mary would be allowed read-only access to the hospital's laboratory information system because of her personal identity—that is, because she is Mary Smith and uses the proper log-in and password(s) to get into the system. Under a role-based control scheme, Mary would be allowed read-only access to the hospital's lab system because she is part of the health information management department and all department employees have been granted read-only privileges for this system. If the hospital were to adopt a context-based control scheme, Mary might be allowed access to the lab system only from her own workstation or another workstation in the health information services department, provided she used her proper log-in and password. If she attempted to log in from the emergency department or another administrative office, she might be denied access. The context control could also involve time of day. Because Mary is a daytime employee, she might be denied access if she attempted to log in at night.

Use Strong Passwords Choose a password that is not easily guessed. Following are some examples of strong password characteristics:

At least eight characters in length (the longer the better)

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

A combination of uppercase and lowercase letters, one number, and at least one special character, such as a punctuation mark

Strong passwords should not include personal information:

Birth date

Names of self, family members, or pets

Social Security number

Anything that is on your social networking sites or could otherwise be discovered easily by others

Use multifactor authentication for more security. Multifactor authentication combines multiple authentication methods, such as a password plus a fingerprint scan; this results in stronger security protections. If you e-prescribe controlled substances, you must use multifactor authentication for your accounts.

Configure your systems so that passwords must be changed on a regular basis.

To discourage staff members from writing down their passwords, develop a password reset process to provide quick assistance in case of forgotten passwords.

Limit Network Access Prohibit staff members from installing software without prior approval.

When a wireless router is used, set it up to operate only in encrypted mode.

Prohibit casual network access by visitors.

Check to make sure file sharing, instant messaging, and other peer-to-peer applications have not been installed without explicit review and approval.

Control Physical Access Limit the chances that devices (e.g., laptops, handhelds, desktops, servers, thumb drives, CDs, backup tapes) may be tampered with, lost, or stolen.

Document and enforce policies limiting physical access to devices and information:

Keep machines in locked rooms.

Manage keys to facilities.

Restrict removal of devices from a secure area.

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

National Institute of Standards and Technology (NIST) Cybersecurity Framework Recognizing the severity of the rise in cybercrime, President Obama issued an executive order in February 2013 to “enhance the security and resilience of the Nation's critical infrastructure” (Executive Order 13636). As a result the National Institute of Standards and Technology (NIST) was directed to develop, with help of stakeholder organizations, a voluntary cybersecurity framework to reduce cyber- attack risks. The resulting NIST cybersecurity framework consists of three components (NIST, n.d.):

1. The Framework Core consists of “five concurrent and continuous Functions— Identify, Protect, Detect, Respond, Recover.” The functions provide “the highest level, strategic view of an organization's management of cybersecurity risk” (NIST, n.d., p. 4). The functions are divided into categories and subcategories as shown in Exhibit 9.2.

2. The Framework Implementation Tiers characterize an organization's actual cybersecurity practices compared to the framework, using a range of tiers from partial (Tier 1) to adaptive (Tier 4).

3. The Framework Profile documents outcomes obtained by reviewing all of the categories and subcategories and comparing them to the organization's business needs. Profiles can be identified as “current,” documenting where the organization is now, or as “target,” where the organization would like to be in the future.

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

Exhibit 9.2 Cybersecurity Framework Core

Source: NIST (2016).

Since its initial publication in 2014, the HHS, OCR, and the ONC have cited the framework as an important tool for health care organizations to consider when developing a comprehensive security program. In 2016, OCR published a crosswalk that maps the HIPAA Security Rule to the NIST framework, which can be found at HHS.gov/hipaa (US Department of Health and Human Services, n.d.a).

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

http://HHS.gov/hipaa

Summary In this chapter we gained insight into why health information privacy and security are key topics for health care administrators. In today's ever-increasing electronic world with new and more virulent threats, the security of health information is an ongoing concern. In this chapter we examined and defined the concepts of privacy, confidentiality, and security and explored major legislative efforts, historical and current, to protect health care information, with a focus on the HIPAA Privacy, Security, and Breach Notification rules. Different types of threats, human, natural and environmental, intentional and unintentional, were identified, with a focus on the increase in cybercrime. Basic requirements for a strong health care organization security program were outlined and the chapter ended with a discussion of the cybersecurity challenges within the current health care environment.

Key Terms 42 C.F.R. (Code of Federal Regulations) Part 2, Confidentiality of Substance Abuse Patient Records Access control Antivirus software Backups Business associate contracts Confidentiality Cybercriminals Cybersecurity Electronic health record (EHR) Electronic protected health information (ePHI) Federal Trade Commission (FTC) Act Firewall Hacker Health Insurance Portability and Accountability Act (HIPAA) HIPAA Breach Notification Rule HIPAA Privacy Rule HIPAA Security Administrative Safeguards HIPAA Security Physical Safeguards HIPAA Security Rule

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

HIPAA Security Technical Safeguards Malware National Institute of Standards and Technology (NIST) NIST Cybersecurity Framework Office for Civil Rights (OCR) Passwords Privacy Privacy Act of 1974 Protected health information (PHI) Ransomware Security Security management Spyware Threats Trojan Viruses Vulnerabilities Worms

Learning Activities 1. Do an Internet search for a recent article discussing a significant breach under

the HIPAA Privacy and Security rules. Write a summary of the article. Discuss how the organization cited in the article could have prevented or mitigated the risk of the breach.

2. Contact a health care provider to talk with the person responsible for maintaining the legal health record. Ask about the organization's release of information, retention, and destruction policies. Do they comply with the requirements of HIPAA? Explain why or why not.

3. Contact a physician's office or clinic and ask if the organization has a security plan. Discuss the process that staff members undertook to complete the plan, or develop an outline of a plan for them.

4. Visit the Office for Civil Rights Enforcement Activities and Results website. Read at least five case examples involving HIPAA security violations. What do these cases have in common? What are theirdifferences? Do all of the Security Rule

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

violations you read also involve Privacy Rule violations? What were your impressions of the types of cases you read and their resolutions?

References American Health Information Management Association (AHIMA). (2003). Final Rule for HIPAA security standards. Chicago, IL: Author.

Bazzoli, F. (2016, Aug. 9). 12 largest fines levied for HIPAA violations. Health Data Management. Retrieved August 9, 2016, from http://www.healthdatamanagement.com/list/12-largest-fines-levied-for-hipaa- violations

Buchholz, A., Perry, B., Weiss, L. B., & Cooley, D. (2016). Smartphone use and perceptions among medical students and practicing physicians. Journal of Mobile Technology in Medicine, 5(1), 27–32. doi:10.7309/jmtm.5.1.5

Centers for Medicare and Medicaid Services (CMS). (2004). HIPAA administrative simplification: Security—Final Rule. Retrieved November 2004 from http://www.cms.hhs.gov/hipaa/hipaa2/regulations/security

Comodo. (2014, Aug. 4). Malware versus viruses: What's the difference? Retrieved August 10, 2016, from https://antivirus.comodo.com/blog/computer-safety/malware- vs-viruses-whats-difference/

Conn, J. (2016, Feb. 18). Hospital pays hackers $17,000 to unlock EHRs frozen in “ransomware” attack. Retrieved November 11, 2016, from http://www.modernhealthcare.com/article/20160217/NEWS/160219920

Coppersmith, Gordon, Schermer, & Brockelman, PLC. (2012). HITECH Act expands HIPAA privacy and security rules. Retrieved March 2012 from http://www.azhha.org/member_and_media_resources/documents/HITECHAct.pdf

DeSalvo, K. B., & Samuels, J. (2016, July 19). Examining oversight of the privacy & security of health data collected by entities not regulated by HIPAA. Health IT Buzz. Retrieved August 10, 2016, from https://www.healthit.gov/buzz-blog/privacy-and- security-of-ehrs/examining-oversight-privacy-security-health-data-collected-entities- not-regulated-hipaa/

Goedert, J. (2016, Aug. 8). Hack of Banner systems highlights the need for more firewalls. Retrieved August 10, 2016, from http://www.healthdatamanagement.com/news/hack-of-banner-systems-highlights- the-need-for-more-firewalls?utm_medium=email

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

http://www.healthdatamanagement.com/list/12-largest-fines-levied-for-hipaa-violations

http://www.cms.hhs.gov/hipaa/hipaa2/regulations/security

https://antivirus.comodo.com/blog/computer-safety/malware-vs-viruses-whats-difference/

http://www.modernhealthcare.com/article/20160217/NEWS/160219920

http://www.azhha.org/member_and_media_resources/documents/HITECHAct.pdf

https://www.healthit.gov/buzz-blog/privacy-and-security-of-ehrs/examining-oversight-privacy-security-health-data-collected-entities-not-regulated-hipaa/

http://www.healthdatamanagement.com/news/hack-of-banner-systems-highlights-the-need-for-more-firewalls?utm_medium=email

HHS.gov. (2015). $750,000 HIPAA settlement underscores the need for organization-wide risk analysis. Retrieved from http://www.hhs.gov/about/news/2015/12/14/750000-hipaa-settlement-underscores- need-for-organization-wide-risk-analysis.html

ESET. (n.d.). HIPAA security checklist [Brochure]. Retrieved August 8, 2016, from https://www.healthit.gov/sites/default/files/comments_upload/hipaa-security- checklist.pdf

Koch, D. D. (2016, Spring). Is HIPAA Security Rule enough to protect electronic personal health information (PHI) in the cyber age? Journal of Health Care Finance. Retrieved August 8, 2016, from http://www.healthfinancejournal.com/index.php/johcf/article/view/67

National Institute of Standards and Technology (NIST). (2016). Framework for improving critical infrastructure cybersecurity. Retrieved from http://www.nist.gov/cyberframework/upload/CSF-for-law-policy-symposium.pdf

National Institute of Standards and Technology (NIST). (n.d.). Cybersecurity framework. Retrieved August 10, 2016, from http://www.nist.gov/cyberframework/

ONC. (2015). Guide to privacy and security of electronic health information. Retrieved from https://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and- security-guide.pdf

ONC. (n.d.). Top 10 tips for cybersecurity in health care [Brochure]. Retrieved August 8, 2016, from https://www.healthit.gov/sites/default/files/Top_10_Tips_for_Cybersecurity.pdf

Siwicki, B. (2016, May 17). Cybersecurity special report: Ransomware will get worse, hackers targeting whales, medical devices and IoT trigger new vulnerabilities. Healthcare IT News. Retrieved August 10, 2016, from http://www.healthcareitnews.com/node/525131

Sullivan, T. (2016, Aug. 9). “DarkOverLord” ransomware accounts for nearly 30 percent of health data breaches in July. Healthcare IT News. Retrieved August 10, 2016, from http://www.healthcareitnews.com/news/darkoverlord-ransomware- accounts-nearly-30-percent-health-data-breaches-july

Office for Civil Rights (OCR). (n.d.). HHS Breach Portal. Retrieved August 8, 2016, from https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

US Department of Health and Human Services. (2016, Sept. 30). Enforcement highlights. Retrieved August 8, 2016, from http://www.hhs.gov/hipaa/for- professionals/compliance-enforcement/data/enforcement-highlights/index.html

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

http://HHS.gov

http://www.hhs.gov/about/news/2015/12/14/750000-hipaa-settlement-underscores-need-for-organization-wide-risk-analysis.html

https://www.healthit.gov/sites/default/files/comments_upload/hipaa-security-checklist.pdf

http://www.healthfinancejournal.com/index.php/johcf/article/view/67

http://www.nist.gov/cyberframework/upload/CSF-for-law-policy-symposium.pdf

http://www.nist.gov/cyberframework/

https://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf

https://www.healthit.gov/sites/default/files/Top_10_Tips_for_Cybersecurity.pdf

http://www.healthcareitnews.com/node/525131

http://www.healthcareitnews.com/news/darkoverlord-ransomware-accounts-nearly-30-percent-health-data-breaches-july

https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/enforcement-highlights/index.html

US Department of Health and Human Services. (n.d.a). Addressing gaps in cybersecurity: OCR releases crosswalk between HIPAA Security Rule and NIST cybersecurity framework. Retrieved August 10, 2016, from http://www.hhs.gov/hipaa/for-professionals/security/nist-security-hipaa-crosswalk/

US Department of Health and Human Services. (n.d.b). Breach Notification Rule. Retrieved August 8, 2016, from http://www.hhs.gov/hipaa/for-professionals/breach- notification/index.html

US Department of Health and Human Services. (n.d.c). Guidance to render unsecured protected health information unusable, unreadable, or indecipherable to unauthorized individuals. Retrieved August 8, 2016, from http://www.hhs.gov/hipaa/for-professionals/breach-notification/guidance/index.html

What are the penalties for HIPAA violations? (2015, June 14). HIPAA Journal. Retrieved from http://www.hipaajournal.com/what-are-the-penalties-for-hipaa- violations-7096/

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

http://www.hhs.gov/hipaa/for-professionals/security/nist-security-hipaa-crosswalk/

http://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html

http://www.hhs.gov/hipaa/for-professionals/breach-notification/guidance/index.html

http://www.hipaajournal.com/what-are-the-penalties-for-hipaa-violations-7096/

Chapter 10 Performance Standards and Measures

Learning Objectives

To be able to explain the significant role of health information in national private and public quality improvement initiatives.

To be able to compare and contrast licensure, certification, and accreditation processes.

To be able to discuss the role of the Joint Commission and the National Committee for Quality Assurance in ensuring the quality of care in the United States.

To be able to understand performance measurement development in the United States.

To be able to identify the roles of specific public and private organizations in the development and endorsement of national performance measures.

To be able to understand the origins and uses of major health care comparative data sets.

This chapter examines public and private organizations and processes that establish standards for ensuring that health records are maintained accurately and completely and that they contain the data and information needed to define and report a wide range of measures to determine the quality and efficiency of health care. These activities are very important and have a significant influence on providers and HIT capabilities, significant enough for us to devote an entire chapter to them.

Health care organizations and health plans use data and information to measure performance against internal and external standards; to compare performance to other like organizations; to demonstrate performance to licensing, certifying, and accrediting bodies; and to demonstrate performance for reimbursement purposes. This chapter begins with an examination of the licensure, certification, and accreditation of health care facilities and health plans, followed by an overview of key comparative data sets often used by health care organizations in benchmarking performance. The chapter concludes with a description of the national initiatives using performance measures to improve the quality and safety of health care,

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

including those affecting provider reimbursement.

In the section titled “Licensure, Certification, and Accreditation,” we define these processes, list the accrediting organizations recognized by CMS, and examine the missions and general functions of the Joint Commission and the National Committee for Quality Assurance (NCQA). These discussions focus on how the licensure, certification, and accreditation processes not only use health information to measure performance but also how they influence the health care information that is collected.

“Measuring the Quality of Care” begins with a historical perspective of major milestones in the national agenda for health care quality improvement, followed by a discussion of the current efforts to improve health care quality and patient safety, focusing on the efforts that involve using health care data and information to measure performance. Quality measures are created and validated by a range of organizations, private and public. However, in the recent years significant progress has been made in aligning these measures across organizations. Another significant movement related to quality measurement in the United States is implementation of value-based reimbursement programs, which are based on established performance criteria. The government plans for significant growth in these programs over the next decade.

Licensure, Certification, and Accreditation Health care organizations, such as hospitals, nursing homes, home health agencies, and the like, must be licensed to operate. If they wish to file Medicare or Medicaid claims, they must also be certified, and if they wish to demonstrate quality performance, they will undergo an accreditation process. What are these processes, and how are they related? If a health care organization is licensed, certified, and accredited, how will this affect the health care information that it creates, uses, and maintains? In this section we will examine each of these processes, their impact on the health care organizations, and their relationships with one another.

Licensure Licensure is the process that gives a facility legal approval to operate. As a rule, state governments oversee the licensure of health care facilities, and each state sets its own licensure laws and regulations. All facilities must have a license to operate, and it is generally the state department of health or a similar agency that carries out the licensure function. Licensure regulations tend to emphasize areas such as physical plant standards, fire safety, space allocations, and sanitation. They may also contain minimum standards for equipment and personnel. A few states tie licensure to professional standards and quality of care, but not all. In their licensure

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

regulations, states generally set minimum standards for the content, retention, and authentication of patient medical records. Exhibit 10.1 is an excerpt from the South Carolina licensure regulations for hospitals. This excerpt governs patient medical record content (with the exception of newborn patient records, which are addressed in a separate section of the regulations). Although each state has its own set of medical record content standards, these are fairly typical in scope and content.

Exhibit 10.1 Medical Record Content: Excerpt from South Carolina Standards for Licensing Hospitals and Institutional General Infirmaries

601.5 Contents:

A. Adequate and complete medical records shall be written for all patients admitted to the hospital and newborns delivered in the hospital. All notes shall be legibly written or typed and signed. Although use of initials in lieu of licensed nurses' signatures is not encouraged, initials will be accepted provided such initials can be readily identified within the medical record. A minimum medical record shall include the following information:

1. Admission Record: An admission record must be prepared for each patient and must contain the following information, when obtainable: Name; address, including county; occupation; age; date of birth; sex; marital status; religion; county of birth; father's name; mother's maiden name; husband's or wife's name; dates of military service; health insurance number; provisional diagnosis; case number; days of care; social security number; the name of the person providing information; name, address and telephone number of person or persons to be notified in the event of emergency; name and address of referring physician; name, address and telephone number of attending physician; date and hour of admission;

2. History and physical within 48 hours after admission;

3. Provisional or working diagnosis;

4. Pre-operative diagnosis;

5. Medical treatment;

6. Complete surgical record, if any, including technique of operation and findings, statement of tissue and organs removed and post-operative diagnosis;

7. Report of anesthesia;

8. Nurses' notes;

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

9. Progress notes;

10. Gross pathological findings and microscopic;

11. Temperature chart, including pulse and respiration;

12. Medication Administration Record or similar document for recording of medications, treatments and other pertinent data. Nurses shall sign this record after each medication administered or treatment rendered;

13. Final diagnosis and discharge summary;

14. Date and hour of discharge summary;

15. In case of death, cause and autopsy findings, if autopsy is performed;

16. Special examinations, if any, e.g., consultations, clinical laboratory, x-ray and other examinations. Source: South Carolina Department of Health and Environmental Control, Standards for Licensing Hospitals and Institutional General Infirmaries, Regulation 61–16 § 601.5 (2010).

An initial license is required before a facility opens its doors, and this license to operate must generally be renewed annually. Some states allow organizations with the Joint Commission or other accreditation to forgo a formal licensure survey conducted by the state; others require the state survey regardless of accreditation status. As we will see in the section on accreditation, the accrediting bodies' standards are more detailed and more stringent than the typical state licensure regulations. Also, most accreditation standards are updated annually; most licensure standards are not.

Certification Certification gives a health care organization the authority to participate in the federal Medicare and Medicaid programs. Legislation passed in 1972 mandated that hospitals had to be reviewed and certified to receive reimbursement from Medicare and Medicaid programs (CMS, n.d.a). At that time the Health Care Financing Administration, now the Centers for Medicare and Medicaid Services (CMS), developed a set of minimum standards known as the conditions of participation (CoPs). CMS contracts with state agencies to inspect facilities to make sure they meet these minimum standards, organized by facility functions and services. See Exhibit 10.2 for the CoP standards section governing medical record content.

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

Exhibit 10.2 Medical Record Content: Excerpt from the Conditions of Participation for Hospitals

Sec. 482.24 Condition of participation: Medical record services.

(c) Standard: Content of record. The medical record must contain information to justify admission and continued hospitalization, support the diagnosis, and describe the patient's progress and response to medications and services.

(1) All entries must be legible and complete, and must be authenticated and dated promptly by the person (identified by name and discipline) who is responsible for ordering, providing, or evaluating the service furnished.

(i) The author of each entry must be identified and must authenticate his or her entry.

(ii) Authentication may include signatures, written initials or computer entry. (2) All records must document the following, as appropriate: (i) Evidence of a physical examination, including a health history, performed

no more than 7 days prior to admission or within 48 hours after admission. (ii) Admitting diagnosis. (iii) Results of all consultative evaluations of the patient and appropriate

findings by clinical and other staff involved in the care of the patient. (iv) Documentation of complications, hospital acquired infections, and

unfavorable reactions to drugs and anesthesia. (v) Properly executed informed consent forms for procedures and treatments

specified by the medical staff, or by Federal or State law if applicable, to require written patient consent.

(vi) All practitioners' orders, nursing notes, reports of treatment, medication records, radiology, and laboratory reports, and vital signs and other information necessary to monitor the patient's condition.

(vii) Discharge summary with outcome of hospitalization, disposition of case, and provisions for follow-up care.

(viii) Final diagnosis with completion of medical records within 30 days following discharge.

Source: Conditions of Participation: Medical Record Services, 42 C.F.R. §§ 482.24c et seq. (2007).

Accreditation Accreditation is an external review process that an organization elects to undergo; it

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

is voluntary and has fees associated with it. The accrediting agency grants recognition to organizations that meet its predetermined performance standards. The review process and standards are devised and regulated by the accrediting agency. By far the best-known health care accrediting agency in the United States is the Joint Commission, but there are others. The National Committee for Quality Assurance (NCQA) is a leading accrediting agency for health plans.

Although accreditation is voluntary, there are financial and legal incentives for health care organizations to seek accreditation. In order to eliminate duplicative processes, Section 1865 of the Social Security Act “permits providers and suppliers ‘accredited’ by an approved national accreditation organization (AO) to be exempt from routine surveys by State survey agencies to determine compliance with Medicare conditions” (CMS, 2015). This is often referred to as deemed status. Table 10.1 lists the 2015 approved AOs with corresponding program types and websites.

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

Table 10.1 2015 approved CMS accrediting organizations

Accrediting Organization Program Types

Website

Accreditation Association for Ambulatory Health Care (AAAHC)

ASC (ambulatory surgery center)

www.aaahc.org

Accreditation Commission for Health Care, Inc. (ACHC)

HHA (home health agency) Hospice

www.achc.org

American Association for Accreditation of Ambulatory Surgery Facilities (AAAASF)

ASC OPT (outpatient physical therapy) RHC (rural health clinics)

www.aaaasf.org

American Osteopathic Association/Healthcare Facilities Accreditation Program (HFAP)

ASC CAH (critical access hospital) Hospital

www.hfap.org

Center for Improvement in Healthcare Quality (CIHQ)

Hospital www.cihq.org

Community Health Accreditation Program (CHAP)

HHA Hospice

www.chapinc.org

DNV GL—Healthcare (DNV GL) CAH Hospital

www.dnvglhealthcare.com

The Compliance Team (TCT) RHC www.thecomplianceteam.org The Joint Commission (TJC) ASC

CAH HHA Hospice Hospital Psychiatric hospital

www.jointcommission.org

Similar to CMS, many states also recognize accreditation in lieu of their own

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

http://www.aaahc.org

http://www.achc.org

http://www.aaaasf.org

http://www.hfap.org

http://www.cihq.org

http://www.chapinc.org

http://www.dnvglhealthcare.com

http://www.thecomplianceteam.org

http://www.jointcommission.org

licensure surveys. Other benefits for an organization are that accreditation

May be required for reimbursement from payers (including CMS)

Validates the quality of care within the organization

May favorably influence liability insurance premiums

May enhance access to managed care contracts

Gives the organization a competitive edge over nonaccredited organizations

The Joint Commission The Joint Commission's stated mission is “to continuously improve health care for the public, in collaboration with other stakeholders, by evaluating health care organizations and inspiring them to excel in providing safe and effective care of the highest quality and value” (The Joint Commission, n.d.). The Joint Commission on Accreditation of Hospitals (as the Joint Commission was first called) was formed as an independent, not-for-profit organization in 1951, as a joint effort of the American College of Surgeons, American College of Physicians, American Medical Association, and American Hospital Association. The Joint Commission has grown and evolved to set standards for and accredit nearly twenty-one thousand health care organizations and programs in the United States. In addition to hospitals, the Joint Commission has accreditation programs for health care organizations that offer ambulatory care, behavioral health care, home care, long-term care, and office- based surgery. They also provide an accreditation program for organizations that offer laboratory services (The Joint Commission, 2016, n.d.).

In order to maintain accreditation, a health care organization must undergo an on- site survey by a Joint Commission survey team every three years. Laboratories must be surveyed every two years. This survey is conducted to ensure that the organization continues to meet the established standards. The standards themselves are the result of an ongoing, dynamic process that incorporates the experience and perspectives of health care professionals and others throughout the country. New standards manuals are published annually and health care organizations are responsible for knowing and incorporating any changes as they occur.

Categories of accreditation (The Joint Commission, 2016) that an organization can achieve are the following:

Preliminary accreditation: for organizations that demonstrate compliance with selected standards under the Early Survey Policy, which allows organizations to undergo a survey prior to having the ability to demonstrate full compliance. Organizations that receive preliminary accreditation will be required to undergo a second on-site survey.

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

Accreditation: for organizations that demonstrate compliance with all standards. Accreditation with follow-up survey: for organizations that are not in compliance with specific standards and require a follow-up survey within thirty days to six months.

Contingent accreditation: for organizations that fail to address all requirements in an accreditation with follow-up survey decision or for organizations that do not have the proper license or other similar issue at the time of the initial survey. A follow-up survey is generally required within thirty days.

Preliminary denial of accreditation: for organizations for which there is justification for denying accreditation. This decision is subject to appeal.

Denial of accreditation: for organizations that fail to meet standards and that have exhausted all appeals.

The Joint Commission focus on quality of care provided in health care facilities dates back to the early 1900s, when the American College of Surgeons began surveying hospitals and established a hospital standardization program. With the program came the question, how is quality of care measured? One of the early concerns of the standardization program was the lack of documentation in patient records. The early surveyors found that documentation was so poor that they had no way to judge the quality of care provided. The Joint Commission's emphasis on health care information and the documentation of care has continued to the present. Not only do the Joint Commission reporting requirements rely heavily on patient information but also the current survey process uses “tracer methodology,” through which the surveyors analyze the organization's systems by tracing the care provided to individual patients. Patient records provide the road maps for the tracer methodology. The absence of quality health records would have a direct impact on the accreditation process. The following sections discuss Joint Commission standards that directly influence the creation, maintenance, and use of health care information. These sections further illustrate how the overall accreditation process relies on the availability of high-quality health care information (The Joint Commission, 2016).

The Joint Commission Record of Care (RC), Treatment, and Services Standards The Joint Commission Record of Care (RC), Treatment, and Services standards provide information about the requirements for the content of a complete health record, regardless of its format. The RC standards for an ambulatory care program dictate that the organization will do the following:

Maintain complete and accurate clinical record.

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

Ensure clinical record entries are authenticated appropriately by authorized persons.

Ensure documentation in clinical records is timely.

Audit their clinical records.

Retain their clinical records according to relevant laws and regulations.

Ensure clinical records contain specific information that reflects the patient's care, treatment, or services.

Ensure clinical records accurately reflect operative and high-risk procedures and use of sedation and anesthesia.

Ensure documentation of proper use of restraints and seclusion.

Ensure ambulatory care records contain a summary list.

Ensure qualified staff members receive and record verbal orders. (The Joint Commission, 2014b)

Each RC standard has specific elements that must be addressed. For more information, refer to the most recent edition of the appropriate Comprehensive Accreditation Manual. All Joint Commission–accredited organizations have access to the complete manual.

The Joint Commission Information Management Standards The Joint Commission Information Management (IM) standards reflect the Joint Commission's belief that quality information management influences quality care. In the overview of the IM standards, the Joint Commission states, “Every episode of care generates health information that must be managed systematically” (emphasis is the authors'). Information is a resource that must be managed similar to any other resource within the organization. Whether the information management systems employed by the organization are basic or sophisticated, the functions should include features that allow for the following:

Categorizing, filing, and maintaining all data and information used by the organization

Accurately capturing health information generated by delivery of care, treatment, and services

Accessing information by those authorized users who need the information to provide safe, quality care (The Joint Commission, 2014a)

The IM standards apply to noncomputerized systems and systems employing the latest technologies. The first standard within the IM chapter focuses on information planning. The organization's plan for IM should consider the full spectrum of data

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

generated and used by the organization as well as the flow of information within and to and from external organizations. Identifying and understanding the flow of information is critical to meeting the organization's needs for data collection and distribution while maintaining the appropriate level of security (The Joint Commission, 2014a). The remaining IM standards address the requirements for health care organizations:

Provide continuity of the information management process, including managing system interruptions and maintaining backup systems.

Ensure the privacy, security, and integrity of health information.

Manage data collection, including use of standardized data sets and terminology and limiting the use of abbreviations.

Manage health information retrieval, dissemination, and transmission.

Provide knowledge-based information resources twenty-four hours a day, seven days a week.

Ensure the accuracy of the health information. (The Joint Commission, 2011, 2014a)

National Committee for Quality Assurance The National Committee for Quality Assurance (NCQA) is the leading accrediting body for health plans, including health maintenance organizations (HMOs), Preferred Provider Organizations (PPOs), and Point of Service (POS) plans in the United States. In addition, the NCQA also accredits the following programs:

Disease management

Case management

Wellness and health promotion

Accountable care organizations

Wellness and health promotion

Managed behavioral health care organizations (NCQA, n.d.a)

The full list of NCQA accreditation requirements are published on its website at www.ncqa.org. The 2015 Health Plan Accreditation Program requirements include specific criteria divided into the following sections:

Quality management and improvement (QI)

Utilization management (UM)

Credentialing and recredentialing (CR)

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

http://www.ncqa.org

Members' rights and responsibilities (RR)

Member connections (MEM)

Medicaid benefits and services (MED)

Health Effectiveness Data and Information Set (HEDIS) performance measures (see the “Measuring the Quality of Care” section for more information about HEDIS) (NCQA, 2015).

Measuring the Quality of Care Two landmark Institute of Medicine (IOM) reports, To Err Is Human: Building a Safer Health System, published in 2000 (Kohn, Corrigan, & Donaldson), and Crossing the Quality Chasm: A New Health System for the 21st Century, published in 2001, are often cited as marking the beginning of the modern era of national health care quality and patient safety initiatives. The two reports led to increased awareness of the severity of patient safety and quality issues and helped frame the national landscape of improvement efforts. To Err Is Human estimated that as many as ninety-eight thousand people died in hospitals each year as a result of preventable medical errors. The report found that most errors could be traced to poor processes and systems and recommended development and implementation of improved performance standards, including those associated with licensure, certification, and accreditation. Crossing the Quality Chasm specifically outlined six aims for establishing quality health care, stating that health care in the United States should be (CMSS, 2014; Kohn, Corrigan, & Donaldson, 2000; IOM, 2001):

1. Safe

2. Effective

3. Patient-centered

4. Timely

5. Efficient

6. Equitable

One of the challenges to meeting these aims was determining how to measure success in each area. What are the standards and performance measures associated with these important aims?

Types of Measures Whether at the local organizational level or at a national level, quality improvement requires the identification of standards that define quality care and measurement of performance to determine whether or not the identified standards are met. Quality

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

measures are used across the full continuum of care, from individual physicians to health plans. As we will examine in this chapter, there are literally hundreds of different health care quality measures in use today. These existing quality measures can generally be categorized into four types: structure, process, outcome, and patient experience. Table 10.2 summarizes the types of measures, descriptions, and examples of each.

Table 10.2 Major types of quality measures Source: Morris (2014).

Type Description Example Structure Assesses the characteristics of a

care setting, including facilities, personnel, and policies related to care delivery

Does an intensive care unit (ICU) have a critical care specialist on staff at all times?

Process Determines if the services provided to patients are consistent with routine clinical care

Does a doctor ensure that his or her patients receive recommended cancer screenings?

Outcome Evaluates patient health as a result of the care received

What is the survival rate for patients who experience a heart attack?

Patient Experience

Provides feedback on patients' experiences of care

Do patients report that their provider explains their treatment options in ways that are easy to understand?

Data Sources for Measures Whether quality measures are applied by an individual physician or by a federal agency, they rely on valid and reliable data. A few of the common sources of health care data used in performance measurement are listed in the following sections.

Administrative Data Administrative data submitted to private and government payers have the advantage of being easy to obtain. Private and public payers have very large claims databases.

Disease Registries Public health agencies, including state and federal agencies collect data on patients with specific conditions. These disease registries often go beyond administrative

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

claims data.

Health Records The EHR is recognized as a rich source of detailed patient information. However, the full potential of the EHR as an easy-to-use source of reliable data has not been reached. More work on standardization and tools for data extraction is needed. Data extraction from paper records is labor intensive and, therefore, expensive to implement. As you have seen in previous chapters, Meaningful Use criteria address the need for EHR data extraction and sharing.

Qualitative Data Qualitative data from patient surveys or interviews are often used for patient experience measures (Morris, 2014).

Measurement Development Regardless of the data source, the resulting measures must not only be reliable and valid but also feasible to collect (CMSS, 2015). There are dozens of public and private organizations that develop health care–related performance measures. The following paragraphs identify a few of the key players and their respective role in the development of recognized measures.

The NCQA is responsible for the HEDIS measures, one of the oldest and most widely used sets of health care performance measures in the United States. More than 90 percent of health plans in the United States collect and report HEDIS data. HEDIS data is not only used for accreditation of health plans but also for the basis of health plan comparison and quality improvement.

The Joint Commission also has a long history of developing and using performance measures as a component of accreditation. In 1987, the Joint Commission revamped its accreditation process with the goal of incorporating standardized performance measures. This initiative led to the development of ORYX program. The current ORYX program is closely aligned with CMS quality initiatives, using many of the same measures. Hospitals seeking Joint Commission Accreditation in 2016 were required to report on six of nine sets of chart (paper)-abstracted clinical quality measures (CQMs) or six of eight electronic clinical quality measures (eCQMs) (The Joint Commission, 2015b).

CQMs are identified and updated by CMS each year. Selected CQMs are used in the EHR Incentive Programs for eligible professionals and other CMS quality initiatives (discussed following in this chapter). The CMS does not develop all of the CQMs but rather relies on private organizations, such as NCQA, the Joint Commission, the American Medical Association Physician Consortium for

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

Performance Improvement (AMA-PCPI), and a host of other health care societies, collaboratives, and alliances, as well as government agencies, such as AHRQ, Centers for Disease Control and Prevention (CDC), and Health Resources and Services Administration (HRSA) for most of them. Table 10.3 is an excerpt from the CQMs for the 2014 EHR Incentive Programs. Note that each measure is defined by a unique identifier, National Quality Forum (NQF) number, a measure description, numerator and denominator statements, measure steward, and Physicians Quality Reporting System (PQRS) number. Note: The PQRS role in quality improvement and performance measurement is discussed in more detail following in this chapter.

Table 10.3 Excerpt of CQMs for 2014 EHR Incentive Programs Source: CMS (n.d.f).

CMS eMeasure ID

NQF No.

Measure Title and NQS Domain

Measure Description

Numerator Statement

Denominator Statement

CMS69v5 0421 Preventive Care and Screening: Body Mass Index (BMI) Screening and Follow-Up Plan Domain: Population/Public Health

Percentage of patients aged eighteen years and older with a BMI documented during the current encounter or during the previous six months AND with a BMI outside of normal parameters, a follow-up plan is documented during the encounter or during the previous six months of the current encounter

Patients with a documented BMI during the encounter or during the previous six months, AND when the BMI is outside of normal parameters, a follow-up plan is documented during the encounter or during the previous six months of the current encounter

All patients eighteen and older on the date of the encounter with at least one eligible encounter during the measurement period

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

Normal Parameters: Age eighteen years and older BMI = > 18.5 and < 25 kg/m2

CMS132v5 0564 Cataracts: Complications within Thirty Days Following Cataract Surgery Requiring Additional Surgical Procedures Domain: Patient Safety

Percentage of patients aged eighteen years and older with a diagnosis of uncomplicated cataract who had cataract surgery and had any of a specified list of surgical procedures in the thirty days following cataract surgery which would indicate the occurrence of any of the following major complications: retained nuclear fragments, endophthalmitis, dislocated or wrong power IOL, retinal detachment, or wound dehiscence

Patients who had one or more specified operative procedures for any of the following major complications within thirty days following cataract surgery: retained nuclear fragments, endophthalmitis, dislocated or wrong power IOL, retinal detachment, or wound dehiscence

All patients aged eighteen years and older who had cataract surgery and no significant ocular conditions impacting the surgical complication rate

CMS133v5 0565 Cataracts: 20/40 or Better Visual Acuity within Ninety Days Following Cataract

Percentage of patients aged eighteen years and older with a

Patients who had best- corrected visual acuity of 20/40

All patients aged eighteen years and

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

Surgery Domain: Clinical Process/Effectiveness

diagnosis of uncomplicated cataract who had cataract surgery and no significant ocular conditions impacting the visual outcome of surgery and had best- corrected visual acuity of 20/40 or better (distance or near) achieved within 90 days following the cataract surgery

or better (distance or near) achieved within ninety days following cataract surgery

older who had cataract surgery

CMS158v5 N/A Pregnant Women That Had HBsAg Testing Domain: Clinical Process/Effectiveness

This measure identifies pregnant women who had a HBsAg (hepatitis B) test during their pregnancy

Patients who were tested for hepatitis B surface antigen (HBsAg) during pregnancy within 280 days prior to delivery

All female patients aged twelve and older who had a live birth or delivery during the measurement period

CMS159v5 0710 Depression Remission at Twelve Months Domain: Clinical Process/Effectiveness

Patients age eighteen and older with major depression or dysthymia and an initial Patient Health Questionnaire (PHQ-9) score greater than

Patients who achieved remission at twelve months as demonstrated by a twelve month (+/- 30 days grace period) PHQ-9

Patients age eighteen and older with a diagnosis of major depression or dysthymia and an initial PHQ-9 score greater than

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

nine who demonstrate remission at twelve months (+/- 30 days after an index visit) defined as a PHQ-9 score less than five. This measure applies to both patients with newly diagnoses and existing depression whose current PHQ-9 score indicates a need for treatment.

score of less than five

nine during the index visit

The NQF is a nonprofit, member organization whose mission is “to lead national collaboration to improve health and healthcare quality through measurement” (NQF, n.d.). It was created in 1999 and includes board members from private and public sectors, including providers, purchasers, and representatives from AHRQ, CDC, CMS, and HRSA. The NQF maintains a large, searchable database of performance measures. Measures can be searched on the NQF website (www.qualityforum.org) by any combination of the following dimensions:

Endorsement Status (e.g. Endorsed, Not Endorsed)

Measure Status (Time Limited, Reserved)

Measure Format (eMeasure, Measure)

Measure Steward (e.g., NCQA, CMS, The Joint Commission)

Use in Federal Program (e.g., Meaningful Use, Medicare Shared Savings Program)

Clinical Condition/Topic Area (e.g., Cancer, Infectious Disease)

Cross-Cutting Area (e.g., Overuse, Safety, Disparities)

Care Setting (e.g., Ambulatory Care, Home Health, Hospital)

National Quality Strategy Priorities (e.g., Affordable Care, Patient Safety)

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

http://www.qualityforum.org

Actual/Planned Use (e.g., Public Reporting, Payment Program)

Data Source (e.g., Administrative Data, Electronic Clinical Data, Healthcare Provider Survey)

Level of Analysis (e.g., Clinician, Facility, Health Plan)

Target Population (Children's Health)

Figure 10.1 is a screenshot from the NQF website showing a few of the thousand- plus measures in the database that are classified as Home Health.

Comparative Health Care Data Sets Comparative health care data sets and information are often aligned with organizations' quality improvement efforts. An organization might collect data on one or more of the specific performance measures, such as those previously identified, and then use this information to compare its performance to other similar organizations or state average results, for example. The process of comparing one or more performance measures against a standard is called benchmarking. Benchmarking may be limited to internally set standards; however, frequently it employs one or more externally generated benchmark or standard.

Providers may select from many publicly and privately available health care data sets for benchmarking purposes. Many of the organizations identified in the previous section not only develop standards but also provide searchable websites that enable consumers and providers to compare results of their measures across multiple organizations. Although each comparative data set is unique, they can be loosely

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

categorized by purpose: patient satisfaction, practice patterns, or clinical data. The following paragraphs identify some of the more well-known and frequently used comparative data sets and list their associated searchable website when applicable.

Patient Satisfaction Data Sets Patient satisfaction data generally come from survey data. Several private organizations, such as NRC+Picker, Press Ganey, and the health care division of Gallup, provide extensive consulting services to health care organizations across the country. One of these services is to conduct patient satisfaction surveys. Some health care organizations undertake patient satisfaction surveys on their own. The advantage of using a national organization is the comparative database it offers, which organizations can use for benchmarking purposes.

Some of the most widely used groups of patient experience surveys in the public arena were developed under the Agency for Healthcare Research and Quality (AHRQ) Consumer Assessment of Healthcare Providers and Systems (CAHPS) program. CAHPS originated in 1995 to assess participants' perspectives on their health plans. Since that time the program has evolved to include the following surveys:

Health Plan

Clinician & Group

Hospital

Home Health Care

In-Center Hemodialysis

Nursing Home

Surgical Care

American Indian

Dental Plan

Experience of Care and Health Outcomes (for mental health and substance abuse services)

CAHPS surveys are available to any organization. Federal agencies, such as CMS, use the CAHPS survey results, but the results are also used by health systems, physician practices, hospitals, and other health care providers in their quality improvement efforts (AHRQ, 2016). The Hospital CAHPS (HCAHPS) results are available to consumers as a part of CMS Hospital Compare (discussed under “Clinical Data Sets”) and from the AHRQ website. Information about the CAHPS comparative data and access to the database and chart books is located at

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

http://www.ahrq.gov/cahps/cahps-database/comparative-data/index.html (AHRQ, 2016).

Practice Patterns Data Set The Dartmouth Atlas is a widely used, interactive, online tool that enables health care organizations to compare data across a wide variety of parameters. The project is a privately funded program through the Dartmouth Institute for Health Policy and Clinical Practice, which primarily uses Medicare data to document variations in the use of medical resources across the United States. To access the Dartmouth Atlas, go to http://www.dartmouthatlas.org (The Dartmouth Institute, n.d.).

Clinical Data Sets The Joint Commission and CMS are committed to the improvement of clinical outcomes, and as a part of that commitment they provide consumers with comparative data that encompasses clinical measures. The Joint Commission's Quality Check has evolved since its introduction in 1994 to become a comprehensive guide to health care organizations in the United States. Visitors to www.Qualitycheck.org can search for health care organizations by a variety of parameters, identify accreditation status, and compare hospital performance measures in terms of the Joint Commission's (2015a) National Patient Safety Goals. The 2016 National Patient Safety Goals for Hospitals describes sixteen specific goals, including these:

Identifying patients correctly

Improving staff member communication

Using medicines safely

Using alarms safely

Preventing infection

Identifying patient safety risks

Preventing mistakes in surgery (The Joint Commission, 2016)

Hospital Compare is the CMS-sponsored interactive, online comparative data set. Located at www.medicare.gov/hospitalcompare, this data set contains information about the quality of care at over four thousand Medicare-certified hospitals. The interactive tool enables consumers to compare clinical and patient satisfaction data. The purpose of the tool is to promote informed decision making by consumers of hospital care and to encourage hospitals to improve the quality of care they provide (CMS, n.d.b). In addition to Hospital Compare, CMS sponsors public reporting of other health care organizations, such as nursing homes, home health agencies, and

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

http://www.ahrq.gov/cahps/cahps-database/comparative-data/index.html

http://www.dartmouthatlas.org

http://www.Qualitycheck.org

http://www.medicare.gov/hospitalcompare

kidney dialysis facilities (CMS, n.d.d).

Comparative Data for Health Plans In addition to data sets used by providers, the NCQA website enables consumers to have access to comparative data for health plans through a variety of report cards. The majority of the comparative data is derived from HEDIS and CAHPS. NCQA health care report cards are found at http://reportcard.ncqa.org. NCQA also offers a subscription service for a more detailed interactive tool, Quality Compass (NCQA, n.d.b, n.d.c).

Federal Quality Improvement Initiatives As stated at the beginning of the chapter, the publication of the IOM reports addressing serious quality concerns marked a new era of government initiatives to improve the quality of patient care. Multiple new programs were established and new efforts to link Medicare and Medicaid reimbursement to quality care were undertaken. In this section we will examine the Patient Safety Act, the National Quality Strategy, and a selection of related government programs aimed at improving the quality of health care through performance measurement including the related aspects of the Medicare Access & CHIP Reauthorization Act of 2015 (MACRA).

The Patient Safety Act The IOM To Err Is Human: Building a Safer Health System (Kohn, Corrigan, & Donaldson, 2000) outlined serious concerns about and the need to improve the safety and quality of health care in the United States. Despite the ongoing efforts by voluntary accrediting bodies to ensure high-quality care, this report identified a critical need for reporting and analyzing individual facility and aggregate data related to adverse events. To address the need to capture information to improve health care quality and prevent harm to patients, the Patient Safety and Quality Improvement Act of 2005 (Patient Safety Act) was passed by Congress “to promote shared learning to enhance quality and safety nationally.” To implement the act, the Department of Health and Human Services issued the Patient Safety Rule (effective January 2009), which authorized the identification of Patient Safety Organizations (PSOs). As of August 2016, there were eighty-two PSOs in twenty-eight states. PSOs are responsible for the collection and analysis of health information that is referred to in the Final Rule as patient safety work product (PSWP). The PSWP contains identifiable patient information that is covered by specific privilege and confidentiality protections (AHRQ, n.d.a).

The types of patient safety events that are reported under these protections include

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

http://reportcard.ncqa.org

the following:

Incidents: patient safety events that reached the patient, whether or not there was harm involved

Near misses (or close calls): patient safety events that did not reach the patient Unsafe conditions: circumstances that increase the probability of a patient safety event occurring

To facilitate these activities, AHRQ has created Common Formats, which are “common definitions and reporting formats to help providers uniformly report patient safety events” (AHRQ, n.d.b).

National Quality Strategy The requirement for a National Strategy for Quality Improvement in Health Care (National Quality Strategy) was established by the Affordable Care Act and subsequently published in 2011. More than three hundred groups and individuals representing all aspects of the health care industry and public provided input. It has subsequently been updated on an annual basis, but the three broad aims and six priorities have remained consistent. The three broad aims used to “guide and assess national efforts to improve health and the quality of health care” (AHRQ, 2011) are as follows:

1. Better care: Improve the overall quality by making health care more patient- centered, reliable, accessible, and safe.

2. Healthy people/healthy communities: Improve the health of the US population by supporting proven interventions to address behavioral, social, and environmental determinants of health in addition to delivering higher-quality care.

3. Affordable care: Reduce the cost of quality health care for individuals, families, employers, and government

To achieve these aims, the National Quality Strategy identifies the following six priorities:

1. Making care safer by reducing harm caused in the delivery of care

2. Ensuring that each person and family are engaged as partners in their care

3. Promoting effective communication and coordination of care

4. Promoting the most effective prevention and treatment practices for the leading causes of mortality, starting with cardiovascular disease

5. Working with communities to promote wide use of best practices to enable healthy living

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

6. Making quality care more affordable for individuals, families, employers, and governments by developing and spreading new health care delivery models

The strategy goes further by recommending that all sectors of the health care system (individuals, families, payers, providers, employers, and communities) employ one or more of the following “levers” to “align” with the National Quality Strategy (NQS)(AHRQ, 2011):

Measurement and feedback: Provide performance feedback to plans and providers to improve care.

Public reporting: Compare treatment results, costs, and patient experience for consumers.

Learning and technical assistance: Foster learning environments that offer training, resources, tools, and guidance to help organizations achieve quality improvement goals.

Certification, accreditation, and regulation: Adopt or adhere to approaches to meet safety and quality standards.

Consumer incentives and benefit designs: Help consumers adopt healthy behaviors and make informed decisions.

Payment: Reward and incentivize providers to deliver high-quality, patient- centered care.

Health information technology: Improve communication, transparency, and efficiency for better coordinated health and health care.

Innovation and diffusion: Foster innovation in health care quality improvement, and facilitate rapid adoption within and across organizations and communities.

Workforce development: Invest in people to prepare the next generation of health care professionals and support lifelong learning for providers.

CMS Quality Programs The Centers for Medicare and Medicaid (CMS) released its specific Quality Strategy in 2016, which is based on the NQS. Adhering to the same broad aims in the NQS, CMS developed a strategy to improve health care delivery by the following means:

Using incentives to improve care

Tying payment to value through new payment models

Changing how care is given through

Better teamwork

Better coordination across health care settings

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

More attention to population health

Putting the power of health care information to work (CMS, 2016)

Since 2001, CMS has engaged in a variety of Quality Initiatives, including initiatives that result in public reporting of performance measures as previously discussed. The Physician Quality Reporting System (PQRS) encourages individual “eligible professionals” (EPs) (e.g., physicians) and group practices to assess and report the quality of care provided to their patients. EPs and group practices that do not report on quality measures as outlined for Medicare Part B covered services risk a negative payment adjustment. There are several mechanisms for reporting PQRS data, including EHRs (CMS, n.d.g).

Using PQRS reporting to determine reimbursement for Medicare Part B is one of many mechanisms through which CMS incentivizes improved quality of care. CMS has multiple value-based or pay-for-performance programs aimed at tying reimbursements to demonstration of quality. CMS's original value-based programs were an attempt to link performance on endorsed quality measures to reimbursement. These programs included the following:

Hospital Value-Based Purchasing (HVBP) program rewards acute care hospitals for quality care using incentives.

Hospital Readmissions Reduction (HRR) program rewards acute care hospitals that reduce unnecessary hospital readmissions for certain conditions, such as acute myocardial infarction, health failure, pneumonia, chronic obstructive pulmonary disease, elective hip or knee replacement, and coronary artery bypass surgery.

Hospital-Acquired Conditions (HAC) program determines whether or not an acute care hospital should be paid a reduced amount based on performance across health-acquired infections and unacceptable adverse events.

Value Modifier (VM) program (also known as Physician Value-Based Modifier or PVBM) rewards physicians (and, beginning in 2018, other primary care professionals, for example, physician assistants and nurse practitioners) for high- quality, lower-cost performance using an adjustment (modifier) for each claim.

Three other value-based programs are applied to end-stage renal disease programs, skilled nursing facilities, and home health programs.

Beyond these traditional value-based programs, CMS encourages innovative, alternative models of care through the CMS Innovation Center. These models are designed to promote lower-cost, higher-quality care. All depend on appropriate reporting of performance measures (CMS, n.d.h).

The Medicare Access and CHIP Reauthorization Act (MACRA)

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

The Medicare Access and CHIP Reauthorization Act (MACRA) was enacted in 2015. MACRA is one aspect of CMS's push toward improving quality and value. In January 2015, the Department of Health and Human Services announced two goals for value-based payments and alternative payment models (APMs):

Goal 1: 30 percent of Medicare payments are tied to quality or value through APMs by the end of 2016; 50 percent by the end of 2018.

Goal 2: 85 percent of Medicare fee-for-service payments are tied to quality or value by the end of 2016; 90 percent by the end of 2018.

They also invited private sector payers to match or exceed these same goals.

MACRA affects physician providers, moving HHS closer to meeting these goals. Key elements to MACRA are the following:

Changes the way Medicare rewards physicians and practitioners for value over volume

Streamlines multiple quality programs directed at physicians and practitioners under the new Merit-based Incentive Payment System (MIPS) Provides bonus payments for physician and practitioners participation in eligible APMs (see Chapter One for examples of APMs)

MIPS will incorporate aspects of three existing quality and value programs: PQRS, Value-based Modifier, and the Medicare EHR Incentive Program. The resulting set of performance measures will be divided into the following categories to calculate a score (between 0 and 100) for eligible professionals. Each category of performance will be weighted as shown in Table 10.4.

Table 10.4 MIPS performance categories

Category Weight (%) Quality 50 Advancing care information 25 Clinical practice improvement activities 15 Resource use 10

Health care providers meeting the established threshold score will receive no adjustment to payment; those scoring below will receive a negative adjustment and those above, a positive adjustment. Exceptional performers may receive bonus payments (CMS, n.d.c, n.d.e).

The exact implementation dates for MACRA were not set by the publication date for this textbook; however, the projected timetable for implementation of the various

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

aspects of the law is shown in Figure 10.2 (CMS, n.d.c).

Figure 10.2 Projected timetable for implementation of MACRA Source: CMS (n.d.e).

Summary In this chapter we examined how health care organizations and health plans use data and information to demonstrate performance to licensing, certifying, and accrediting bodies; to measure performance against internal and external standards; to compare performance to other similar organizations; and to demonstrate performance for reimbursement purposes. This chapter began with an examination of the licensure, certification, and accreditation of health care facilities and health plans, followed by an overview of key comparative data sets often used by health care organizations in benchmarking performance. The chapter further explored major milestones in the national agenda for health care quality improvement, followed by a discussion of the current efforts to improve health care quality and patient safety, focusing on the efforts that involve using health care data and information to measure performance. The private and public organizations responsible for developing and endorsing national quality measures were introduced, and the progress that has been made in aligning these measures across these organizations was discussed. The chapter concluded with an overview of the significant movement toward value-based reimbursement programs and plans for significant growth in these programs over the next decade.

Clearly, there is a bewildering and complex set of measures with many organizations involved. Consequently, many measures being collected are inconsistent across the organizations requiring them. There are differences of opinion about which measures to be collected and the specific definitions of these measures. Efforts are

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

under way, largely driven by CMS, to align measures to ease the collection burden for health care providers. However, today's reality remains an overwhelmingly complex web of standards and measurement requirements.

EHRs have been cited as the solution for easing the collection burden for health care organizations and providers. However, the most current EHR systems are limited in their ability to collect the required measures. The result is that organizations and providers must resort to manual data collection. In other chapters in this text we have explored reasons for the current limitations of EHRs in this area, including provider resistance because of the time burden. There is a largely unresolved tension in the health care community and HIT industry between the desire to collect accurate and timely measures and the provider resistance to entering the data into the EHR in a standard, retrievable format.

Key Terms Accreditation

Accreditation organization (AO)

Administrative data

Agency for Healthcare Research and Quality (AHRQ)

Alternative payment models (APMs)

American Medical Association Physician Consortium for Performance Improvement (AMA-PCPI)

Centers for Disease Control and Prevention (CDC)

Centers for Medicare and Medicaid Services (CMS)

Certification

Clinical quality measures (CQMs)

Common formats

Comparative health care data sets

Conditions of participation (CoPs)

Consumer Assessment of Healthcare Providers and Systems (CAHPS)

Dartmouth Atlas

Deemed status

Disease registries

EHR Incentive Programs

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

Electronic clinical quality measures (eCQMs)

Eligible professionals

Health Effectiveness Data and Information Set (HEDIS)

Health records

Health Resources and Services Administration (HRSA)

Hospital-acquired conditions (HAC)

Hospital CAHPS (HCAHPS)

Hospital Compare

Hospital Readmissions Reduction (HRR)

Hospital Value-Based Purchasing (HVBP)

The Joint Commission

The Joint Commission Information Management (IM) standards

The Joint Commission Record of Care (RC), Treatment, and Services standards

Licensure

The Medicare Access and CHIP Reauthorization Act (MACRA)

Merit-based Incentive Payment System (MIPS)

National Committee for Quality Assurance (NCQA)

National Patient Safety Goals

National Quality Forum (NQF)

National Strategy for Quality Improvement in Health Care (National Quality Strategy)

NCQA health care report cards

Patient Safety Act

Patient Safety Organizations (PSOs)

Performance measures

Physician Value-Based Modifier (PVBM)

Physicians Quality Reporting System (PQRS) number

Qualitative data

Quality Check

Quality measures

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

Value Modifier (VM)

Learning Activities 1. Research two local health care organizations—one acute care facility and one

other type of organization. Determine each organization's current licensure, accreditation, and certification status. How are these processes related within your state? Do the processes differ between the two types of health care organizations?

2. Visit the Joint Commission website at www.jointcommission.org. What accreditation programs (other than the Hospital Accreditation Program) does the Joint Commission have? List the programs and their respective missions.

3. Visit the NCQA website at www.ncqa.org and look up at least two health plans with which you are familiar. What do the report cards tell you about these plans? Do you find this information useful? Why or why not?

4. Visit the patient safety organization website at www.pso.ahrq.gov. Does your state have a PSO? If not, identify a PSO from a neighboring state. Research the PSO and report on how long it has operated and who its clients are.

5. Use Hospital Compare and the Joint Commission Quality Check to research three hospitals in your region of the country. Write a report outlining your findings. Would any of the information you discovered influence your choice of care for you or your family? Why or why not?

6. Research the current status of the CMS Quality programs discussed in this chapter. Write an update for this section of the chapter.

7. Research the current year's National Quality Strategy. Has it changed since this book was published? List the differences and comment on the changes.

8. Use the NQF website to identify four specific performance measures that are endorsed by NQF for physician practices. Research each measure to identify how each measure is calculated, including the source of the data, the numerator, and the denominator. Do you think these measures are a good reflection of quality practice? Why or why not?

References Agency for Healthcare Research and Quality (AHRQ). (2011). National quality strategy (NQS). Retrieved August 31, 2016, from http://www.ahrq.gov/workingforquality/nqs/nqs2011annlrpt.pdf

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

http://www.jointcommission.org

http://www.ncqa.org

http://www.pso.ahrq.gov

http://www.ahrq.gov/workingforquality/nqs/nqs2011annlrpt.pdf

Agency for Healthcare Research and Quality (AHRQ). (2016, July). Comparative data. Retrieved August 31, 2016, from http://www.ahrq.gov/cahps/cahps- database/comparative-data/index.html

Agency for Healthcare Research and Quality (AHRQ). (n.d.a). About the PSO program. Retrieved August 31, 2016, from https://pso.ahrq.gov/about

Agency for Healthcare Research and Quality (AHRQ). (n.d.b). Common formats. Retrieved August 31, 2016, from https://pso.ahrq.gov/common

Centers for Medicare and Medicaid (CMS). (2015, Sept.). CMS-approved accrediting organizations contacts for prospective clients. Retrieved August 30, 2016, from https://www.cms.gov/Medicare/Provider-Enrollment-and- Certification/SurveyCertificationGenInfo/Downloads/Accrediting-Organization- Contacts-for-Prospective-Clients-.pdf

Centers for Medicare and Medicaid (CMS). (2016). CMS quality strategy 2016. Retrieved August 31, 2016, from https://www.cms.gov/medicare/quality-initiatives- patient-assessment-instruments/qualityinitiativesgeninfo/downloads/cms-quality- strategy.pdf

Centers for Medicare and Medicaid (CMS). (n.d.a). Accreditation of Medicare- certified providers & suppliers. Retrieved August 21, 2016, from https://www.cms.gov/Medicare/Provider-Enrollment-and- Certification/SurveyCertificationGenInfo/Accreditation-of-Medicare-Certified- Providers-and-Suppliers.html

Centers for Medicare and Medicaid (CMS). (n.d.b). Hospital compare. Retrieved August 31, 2016, from https://www.medicare.gov/hospitalcompare

Centers for Medicare and Medicaid (CMS). (n.d.c). MACRA. Retrieved August 31, 2016, from https://www.cms.gov/Medicare/Quality-Initiatives-Patient-Assessment- Instruments/Value-Based-Programs/MACRA-MIPS-and-APMs/MACRA-MIPS-and- APMs.html

Centers for Medicare and Medicaid (CMS). (n.d.d). Medicare. Retrieved August 31, 2016, from https://www.cms.gov/Medicare

Centers for Medicare and Medicaid (CMS). (n.d.e). The Medicare Access & CHIP Reauthorization Act of 2015: Path to value. Retrieved August 31, 2016, from https://www.cms.gov/Medicare/Quality-Initiatives-Patient-Assessment- Instruments/Value-Based-Programs/MACRA-MIPS-and-APMs/MACRA-LAN-PPT.pdf

Centers for Medicare & Medicaid Services (n.d.f). The merit-based incentive payment system: MIPS scoring methodology overview. Retrieved August 4, 2016,

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

http://www.ahrq.gov/cahps/cahps-database/comparative-data/index.html

https://pso.ahrq.gov/about

https://pso.ahrq.gov/common

https://www.cms.gov/Medicare/Provider-Enrollment-and-Certification/SurveyCertificationGenInfo/Downloads/Accrediting-Organization-Contacts-for-Prospective-Clients-.pdf

https://www.cms.gov/medicare/quality-initiatives-patient-assessment-instruments/qualityinitiativesgeninfo/downloads/cms-quality-strategy.pdf

https://www.cms.gov/Medicare/Provider-Enrollment-and-Certification/SurveyCertificationGenInfo/Accreditation-of-Medicare-Certified-Providers-and-Suppliers.html

https://www.medicare.gov/hospitalcompare

https://www.cms.gov/Medicare/Quality-Initiatives-Patient-Assessment-Instruments/Value-Based-Programs/MACRA-MIPS-and-APMs/MACRA-MIPS-and-APMs.html

https://www.cms.gov/Medicare

https://www.cms.gov/Medicare/Quality-Initiatives-Patient-Assessment-Instruments/Value-Based-Programs/MACRA-MIPS-and-APMs/MACRA-LAN-PPT.pdf

from https://www.cms.gov/Medicare/Quality-Initiatives-Patient-Assessment- Instruments/Value-Based-Programs/MACRA-MIPS-and-APMs/MIPS-Scoring- Methodology-slide-deck.pdf

Centers for Medicare and Medicaid (CMS). (n.d.g). Physician quality reporting system. Retrieved August 31, 2016, from https://www.cms.gov/Medicare/Quality- Initiatives-Patient-Assessment-Instruments/PQRS/index.html?redirect=/pqri

Centers for Medicare and Medicaid (CMS). (n.d.h). Value-based programs. Retrieved August 31, 2016, from https://www.cms.gov/Medicare/Quality-Initiatives- Patient-Assessment-Instruments/Value-Based-Programs/Value-Based- Programs.html

Council of Medical Specialty Societies (CMSS). (2014, Nov.). The measurement of health care performance (3rd ed.). Retrieved August 21, 2016, from http://cmss.org/wp-content/uploads/2015/07/CMSS-Quality-Primer-layout.final.pdf

The Dartmouth Institute (n.d.) Understanding of the efficiency and effectiveness of the health care system. Retrieved August 31, 2016, from http://www.dartmouthatlas.org/

Institute of Medicine Committee (IOM) on Quality in America. (2001). Crossing the quality chasm: A new health system for the 21st century. Washington, DC: National Academy Press.

The Joint Commission. (2011). Comprehensive accreditation manual for hospitals. Oakbrook Terrace, IL: Author.

The Joint Commission. (2014a, Aug.). Program: Ambulatory. Chapter: information management (e-dition). Retrieved August 21, 2016, from http://foh.hhs.gov/tjc/im/standards.pdf

The Joint Commission. (2014b, Aug.). Program: Ambulatory. Chapter: Record of care, treatment and services (e-dition). Retrieved August 21, 2016, from http://foh.hhs.gov/tjc/roc/standards.pdf

The Joint Commission. (2015a, Nov. 5). Hospital: 2016 national patient safety goals. Retrieved August 31, 2016, from https://www.jointcommission.org/hap_2016_npsgs/

The Joint Commission. (2015b, Sept. 2). Joint Commission measure sets effective January 1, 2016. Retrieved August 21, 2016, from https://www.jointcommission.org/joint_commission_measure_sets_effective_january_1_2016/

The Joint Commission. (2016, April 27). Accreditation process overview. Retrieved August 21, 2016, from

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

https://www.cms.gov/Medicare/Quality-Initiatives-Patient-Assessment-Instruments/Value-Based-Programs/MACRA-MIPS-and-APMs/MIPS-Scoring-Methodology-slide-deck.pdf

https://www.cms.gov/Medicare/Quality-Initiatives-Patient-Assessment-Instruments/PQRS/index.html?redirect=/pqri

https://www.cms.gov/Medicare/Quality-Initiatives-Patient-Assessment-Instruments/Value-Based-Programs/Value-Based-Programs.html

http://cmss.org/wp-content/uploads/2015/07/CMSS-Quality-Primer-layout.final.pdf

http://www.dartmouthatlas.org/

http://foh.hhs.gov/tjc/im/standards.pdf

http://foh.hhs.gov/tjc/roc/standards.pdf

https://www.jointcommission.org/hap_2016_npsgs/

https://www.jointcommission.org/joint_commission_measure_sets_effective_january_1_2016/

https://www.jointcommission.org/accreditation_process_overview/

The Joint Commission. (n.d.). About the Joint Commission. Retrieved August 21, 2016, from https://www.jointcommission.org/about_us/about_the_joint_commission_main.aspx

Kohn, L. T., Corrigan, J., & Donaldson, M. S. (2000). To err is human: Building a safer health system. Washington, DC: National Academy Press.

Morris, C. (2014, May). Measuring health care quality: An overview of quality measures (Issue brief). FamiliesUSA. Retrieved August 21, 2016, from http://familiesusa.org/sites/default/files/product_documents/HIS_QualityMeasurement_Brief_final_web.pdf

National Committee for Quality Assurance (NCQA). (2015). 2015 NCQA health plan accreditation standards. Retrieved August 21, 2016 from http://www.ncqa.org/programs/accreditation/health-plan-hp

National Committee for Quality Assurance (NCQA). (n.d.a). About NCQA. Retrieved August 21, 2016, from http://www.ncqa.org/about-ncqa

National Committee for Quality Assurance (NCQA). (n.d.b). Quality compass. Retrieved August 21, 2016, from http://www.ncqa.org/tabid/177/Default.aspx

National Committee for Quality Assurance (NCQA). (n.d.c). Report cards. Retrieved August 21, 2016, from http://www.ncqa.org/report-cards

National Quality Forum (NQF). (n.d.). About us. Retrieved August 31, 2016, from http://www.qualityforum.org/About_NQF/

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

https://www.jointcommission.org/accreditation_process_overview/

https://www.jointcommission.org/about_us/about_the_joint_commission_main.aspx

http://familiesusa.org/sites/default/files/product_documents/HIS_QualityMeasurement_Brief_final_web.pdf

http://www.ncqa.org/programs/accreditation/health-plan-hp

http://www.ncqa.org/about-ncqa

http://www.ncqa.org/tabid/177/Default.aspx

http://www.ncqa.org/report-cards

http://www.qualityforum.org/About_NQF/

Chapter 11 Health Care Information System Standards

Learning Objectives

To be able to give examples of the methods by which standards are developed: ad hoc, de facto, government mandate, and consensus.

To be able to identify and discuss the role of organizations that currently have a significant impact on the adoption of health care information standards in the United States.

To be able to identify and discuss the role of federal initiatives and legislation that have a significant impact on the adoption of health care information standards in the United States.

To be able to identify examples within the major types of health care information standards and the organizations that develop or approve them.

To understand the importance of health care IT standards to the future of the US health care delivery system.

Throughout this text we have examined a variety of different types of standards that affect, directly or indirectly, the management of health information systems. In Chapter Ten we examined health care performance standards; Chapter Two looked at data quality standards, Chapter Nine at security standards, and so on. In this chapter we will examine yet another category of standards that affect health care data and information systems: health care information system (HCIS) standards. In all cases the standards examined represent the measuring stick or set of rules against which an entity, such as an organization or system, will compare its structures, processes, or functions to determine compliance. In the case of the HCIS standards discussed in this chapter the aim is to provide a common set of rules by which health care information systems can communicate. Systems that conform to different standards cannot possibly communicate with one another. Portability, data exchange, and interoperability among different health information systems can be achieved only if they can “communicate.” For a simple analogy, think about traveling to a country where you do not speak the language. You would not be able to communicate with that country's citizens without a common language or translator. Think of the common language you adopt as the standard set of rules to which all parties agree to adhere. Once you and others agree on a common language, you

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

and they can communicate. You may still have some problems, but generally these can be overcome.

By nature HCIS standards include technical specifications, which make it less easy for the typical health care administrator to fully understand them. In addition, a complex web of public and private organizations create, manage, and implement HCIS standards, resulting in standards that are not always aligned, making the standards even more difficult to fully grasp. In fact, some may actually compete with one another. In addition to the complex web of standards specifically designed for HCIS, there are many general IT standards that affect health care information systems. Networking standards, such as Ethernet and Wi-Fi, employed by health care organizations are not specific to health care. Extensible markup language (XML) is widely accepted as a standard for sharing data using web-based technologies in health care and other industries. There are many other examples that are beyond the scope of this text. Our focus will be on the standards that are specific to HCIS.

With HIPAA came the push for adoption of administrative transaction and data exchange standards. This effort has been largely successful; claims are routinely submitted via standard electronic transaction protocols. However, although real progress has been made in recent years, complete interoperability among health care information systems remains elusive. Chapter Three examined the need for interoperability among health care information systems to promote better health of our citizens; Chapter Two discussed the lack of standardization in EHRs as an issue with using EHR data in research; and Chapter Nine outlined problems associated with misalignment of quality and performance measures, in part because of a lack of interoperability and standardization in EHRs and other health care information systems. Interoperability, as defined by the ONC (2015) in its publication Connecting Health Care for the Nation: A Shared Nationwide Interoperability Roadmap, results from multiple initiatives, including payment, regulatory, and other policy changes to support a collaborative and connected health care system. The best political and social infrastructures, however, will not succeed in achieving interoperability without supportive technologies.

This chapter is divided into three main sections. The first section is an overview of HCIS standards, providing general information about the types of standards and their purposes. The second section examines a few of the major initiatives, public and private, responsible for creating, requiring, or implementing HCIS standards. Finally, the last section of the chapter examines some of the most commonly adopted HCIS standards, including examples of the standards when possible.

HCIS Standards Overview

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

Keith Boone, a prolific blogger and writer on all topics related to HIT standards, once wrote, “Standards are like potato chips. You always need more than one to get the job done” (Boone, 2012b). In general, the health care IT community discusses HCIS standards in terms of their specific function, such as privacy and security, EHRs, electronic prescribing (e-prescribing), lab reporting, and so on, but the reality is that achieving one of these or other functions requires multiple standards directed at different levels within the HCIS. For example, there is a need for standards at the level of basic communication across the Internet or other network (Transporting), standards for structuring the content of messages communicated across the network (Data Interchange and Messaging), standards that describe required data elements for a particular function, such as the EHR or clinical summary (Content), and standards for naming or classifying the actual data, such as units of measure, lab tests, diagnoses, and so on (Vocabulary/Terminology). Unfortunately, there is no universal model for categorizing the plethora of HCIS standards. In this chapter we will look at standards described as Data Interchange and Messaging, Content, and Vocabulary/Terminology standards.

Standards, as we have seen, are the sets of rules for what should be included for the needed function and system level. This is only a portion of the challenge in implementing standards. The other challenge is how are the standards used for a particular function or use case? Much of the work today toward achieving interoperability of health care information systems is concerned with the how. Organizations that develop standards may also create specific implementation guides for using the standard in a particular use case. (To further complicate the already complicated standards environment, these implementation guides are sometimes referred to as standards.) Other organizations, such as the ONC, develop frameworks for implementing standards, and several government initiatives, such as HIPAA and HITECH, have set requirements for implementing specific standards or sets of standards.

Standards Development Process When seeking to understand why so many different IT and health care information standards exist, it is helpful to look first at the standards development process that exists in the United States (and internationally). In general the methods used to establish health care IT standards can be divided into four categories (Hammond & Cimino, 2006):

1. Ad hoc. A standard is established by the ad hoc method when a group of interested people or organizations agrees on a certain specification without any formal adoption process. The Digital Imaging and Communications in Medicine (DICOM) standard for health care imaging came about in this way.

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

2. De facto. A de facto standard arises when a vendor or other commercial enterprise controls such a large segment of the market that its product becomes the recognized norm. The SQL database language and the Windows operating system are examples of de facto standards. XML is becoming a de facto standard for health care and other types of industry messaging.

3. Government mandate. Standards are also established when the government mandates that the health care industry adopt them. Examples are the transaction and code sets mandated by the Health Insurance Portability and Accountability Act (HIPAA) regulations.

4. Consensus. Consensus-based standards come about when representatives from various interested groups come together to reach a formal agreement on specifications. The process is generally open and involves considerable comment and feedback from the industry. This method is employed by the standards developing organizations (SDOs) accredited by the American National Standards Institute (ANSI). Many health care information standards are developed by this method, including Health Level Seven (HL7) standards and the health-related Accredited Standards Committee (ASC) standards.

The relationships among standard-setting organizations can be confusing, to say the least. Not only do many of the acronyms sound similar but also the organizations themselves, as voluntary, member-based organizations, can set their own missions and goals. Therefore, although there is a formally recognized relationship among the International Organization for Standardization (ISO), ANSI, and the SDOs, there is also some overlap in activities. Table 11.1 outlines the relationships among the formal standard-setting organizations and for each one gives a brief overview of important facts and a current website.

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

Table 11.1 Relationships among standards-setting organizations Source: ANSI (n.d.a, n.d.b, n.d.c); ISO (n.d.).

Organizations Facts Website

International Organization for Standardization (ISO)

Members are national standards bodies from many different countries around the world.

Oversees the flow of documentation and international approval of standards development under the auspices of the its member bodies

www.iso.org

American National Standards Institute (ANSI)

US member of ISO

Accredits standards development organizations (SDOs) from a wide range of industries, including health care

Does not develop standards but accredits the organizations that develop standards

Publishes more than ten thousand standards developed by accredited SDOs

www.ansi.org

Standards Developing Organizations (SDOs)

Must be accredited by ANSI

Develop standards in accordance with ANSI criteria

Can use the label “Approved American National Standard”

Approximately two hundred SDOs are accredited; twenty of these produce 90 percent of the standards.

www.standardsportal.org

All the ANSI-accredited SDOs must adhere to the guidelines established for accreditation; therefore, they have similar standard-setting processes. According to ANSI, this process includes the following:

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

http://www.iso.org

http://www.ansi.org

http://www.standardsportal.org

Consensus on a proposed standard by a group or “consensus body” that includes representatives from materially affected or interested parties

Broad-based public review and comment on draft standards

Consideration of and response to comments submitted by voting members of the relevant consensus body and by public review commenters

Incorporation of approved changes into a draft standard

Right to appeal by any participant that believes that due process principles were not sufficiently respected during the standards development in accordance with the ANSI-accredited procedures of the standards developer (ANSI, n.d.c)

The IT industry in general has experienced a movement away from the process of establishing standards via the accredited SDOs. The Internet and World Wide Web standards, for example, were developed by groups with much less formal structures. However, the accredited SDOs continue to have a significant impact on the IT standards for the health care industry.

Boone (2012a) lists the following organizations as major developers of HIT standards in the United States, which includes a mix of accredited SDOs and other developers. Each organization's specific areas for standard development are indicated in parentheses. ANSI-accredited SDOs are indicated with an “*.”

International Standards Organization (ISO) [various]

ASTM International (ASTM) [various]* Accredited Standards Committee (ASC) X12 [Insurance Transactions]*

Health Level Seven International (HL7) [various]* Digital Imaging and Communication in Medicine (DICOM) [Imaging] National Council for Prescription Drug Programs (NCPDP) [ePrescribing] Regienstrief (LOINC) [Laboratory Vocabulary]

International Health Terminology SDO (IHTSDO) [Clinical Terminology] In addition, Boone (2012a) identifies the following “other” organizations as having a major impact on HIT:

World Wide Web Consortium (W3C) [XML, HTML]

Internet Engineering Task Force (IETF) [Internet]

Organization for the Advancement of Structured Information Standards (OASIS) [Business use of XML]

He further identifies key groups known as “profiling bodies” (Boone, 2012a) that use

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

existing standards to create comprehensive implementation guides. Two examples of profiling bodies are Integrating the Healthcare Enterprise (IHE) and the ONC, which focus on guidance for implementing clinical interoperability standards.

Perspective European Committee for Standardization (CEN)

Although the focus of this chapter is standards developed within the United States, it is important to recognize there are other standards organizations worldwide. For example, the European Committee for Standardization (CEN) was created in Brussels in 1975. In 2010 CEN partnered with another European standards developing organization, the European Committee for Electrotechnical Standardization (CENELEC), to form the CEN-CENELEC Management Centre (CCMC) in Brussels, Belgium. The CCMC current membership includes national standards bodies from thirty-three European countries (CEN-CENELEC, n.d.).

The Technical Committee within CEN that oversees health care informatics standards is CEN TC 251, which consists of two working groups:

WG1: Enterprise and Information

WG2: Technology and Applications Source: CEN (n.d.).

Federal Initiatives Affecting Health Care IT Standards There are many federal initiatives that affect health care IT standards. In this section we look at federal initiatives for health care IT standards as a part of HIPAA, CMS e- prescribing, CMS EHR Incentive Program, and the Office of the National Coordinator for Health Information Technology (ONC), including the Interoperability Roadmap.

HIPAA In August 2000, the US Department of Health and Human Services published the final rule outlining the standards to be adopted by health care organizations for electronic transactions and announced the designated standard maintenance organizations (DSMOs). In publishing this rule, which has been modified as needed, the federal government mandated that health care organizations adopt certain standards for electronic transactions and standard code sets for these transactions and identified the standards organizations that would oversee the

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

adoption of standards for HIPAA compliance. The DSMOs have the responsibility for the development, maintenance, and modification of relevant electronic data interchange standards. HIPAA transaction standards apply to all covered entities' electronic data interchange (EDI) related to claims and encounter information, payment and remittance advice, claims status, eligibility, enrollment and disenrollment, referrals and authorizations, coordination of benefits, and premiums payment. The current HIPAA transaction standards are ASC X12N version 5010 (which accommodates ICD-10) along with NCPDP D.0 for pharmacy transactions (CMS, 2016b). In addition to these transaction standards, several standard code sets were established for use in electronic transactions, including ICD-10-CM, ICD- 10-PCS, HCPCS, CPT, and Code on Dental Procedures and Nomenclature (CDT) (CMS, 2016a).

Centers for Medicare and Medicaid E-prescribing The Medicare Prescription Drug, Improvement, and Modernization Act of 2003 (MMA) established a Voluntary Prescription Drug Benefit program. There is no requirement in this act that providers write prescriptions electronically, but those who choose to do so must comply with specific e-prescribing standards. The current published CMS e-prescribing standards consist of three sets of existing health care IT standards as “foundation” standards, which include NCPDP's SCRIPT Standard for e-Prescribing, ASC X12N standard for Health Care Eligibility Benefit and Response, and NCPDP's telecommunications standard. In addition, the final rule identifies three additional electronic tools to be used in implementing e-prescribing:

NCPDP Formulary and Benefit Standard Implementation Guide, which provides information about drugs covered under the beneficiary's benefit plan

NCPDP SCRIPT Medication History Transactions, which provides information about medications a beneficiary has been taking

Fill Status Notification (RxFill), which allows prescribers to receive an electronic notice from the pharmacy regarding the beneficiary's prescription status (CMS, 2013)

Centers for Medicare and Medicaid EHR Incentive Programs As discussed previously, the Medicare and Medicaid EHR Incentive Programs were established as a part of the HITECH Act to encourage eligible providers (EPs) and eligible hospitals (EHs) to demonstrate Meaningful Use of certified EHR technology. EHR certification for Stage 1 and Stage 2 Meaningful Use requires EPs and EHs to meet specific criteria. Certification requirements are organized according to objectives, measures, specific criteria, and standards. Not all criteria include specific standards, but many do. Examples of standards required by 2014 certification rules

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

include using the HL7 Implementation Guide for CDA in meeting the criteria for providing patients the ability to view online, download, and transmit information about a hospital. Other standards include SNOMED CT, which is required for coding a patient's smoking status, RxNorm, which is required for medications, and LOINC, which is required for laboratory tests, among others (HealthIT.gov, 2014).

Office of the National Coordinator for Health Information Technology As discussed in previous chapters the Office of the National Coordinator for Health Information Technology (ONC) was established in 2004 and charged with providing “leadership for the development and nationwide implementation of an interoperable health information technology infrastructure to improve the quality and efficiency of health care” (HHS, 2008). In 2009, the role of the ONC was strengthened when the HITECH Act legislatively mandated ONC to provide this leadership and oversight (HHS, 2012). Today, the ONC is “the principal federal entity charged with coordination of nationwide efforts to implement and use the most advanced health information technology and the electronic exchange of health information” (HealthIT.gov, n.d.).

Current ONC initiatives, in addition to implementing HITECH, include implementation of health care IT standards for interoperability. In Chapter Three, the ONC Interoperability Roadmap was introduced and key milestones related to payment reform and outcomes were outlined. The Roadmap also outlines key milestones for the development and implementation of technologies to support interoperability (ONC, 2015). Beginning in 2015, the ONC published its first Interoperability Standards Advisory, which has been subsequently updated annually. This Advisory document outlines the ONC-identified “best available” standards and implementation specifications for clinical IT interoperability. The identified standards and specifications in the 2016 Advisory are grouped into three sections:

Best Available Vocabulary/Code Set/Terminology Standards and Implementation Specifications, which address the “semantics,” or standard meanings of codes and terms needed for interoperability

Best Available Content/Structure Standards and Implementation Specifications, which address the “syntax,” or rules by which the common data elements can be shared to achieve interoperability

Best Available Standards and Implementation Specification for Services, which address infrastructure components needed to achieve interoperability (ONC, 2016)

Each specific standard is identified and defined by six characteristics: process maturity, implementation maturity, adoption level, federal requirement status, cost, and whether a testing tool is available. The Advisory also includes hyperlinks to the

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

http://HealthIT.gov

standards and implementation guides cited. Exhibit 11.1 is an excerpt from the 2016 Advisory.

Exhibit 11.1 Excerpt from ONC 2016 Interoperability Standards Advisory

Section I: Best Available Vocabulary/Code Set/Terminology Standards and Implementation Specifications

I-A: Allergies

Interoperability Need: Representing patient allergic reactions Type Standard/Implementation

Specification Standards Process Maturity

Implementation Maturity

Adoption Level

Federally Required

Standard SNOMED CT Final Production No

Limitations, Dependencies, and Preconditions for Consideration:

Applicable Value Set(s):

SNOMED CT may not be sufficient to differentiate between an allergy or adverse reaction, or the level of severity

Value Set Problem urn:oid:2.16.840.1.113883.3.88.12.3221.7.4

Interoperability Need: Representing patient allergens: medications Type Standard/Implementation

Specification Standards Process Maturity

Implementation Maturity

Adoption Level

Federally Required

Standard RxNorm Final Production Yes Standard NDF-RT Final Production Unknown No

Source: ONC (2016).

Other Organizations Influencing Health Care IT Standards The following organizations certainly do not represent the full list of bodies that are involved with health care IT standards development and implementation. However, they do represent a few of the most significant nongovernment contributors. ASTM International and HL7 International are accredited SDOs with standards specifically

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

addressing health care information. IHE is a recognized profiling body influencing the implementation of interoperability standards.

ASTM International ASTM International was formerly known as the American Society for Testing and Materials. ASTM International has more than thirty thousand members from across the globe, and they are responsible for publishing more than twelve thousand standards. ASTM standards range from those that dictate traffic paint to cell phone casings (ASTM, n.d.a, n.d.b). The ASTM Standards for Healthcare Services, Products and Technology include medical device standards and health information standards. The health information standards are managed by the ASTM Committee E31, which focuses on “the development of standards that help doctors and health care practitioners preserve and transfer patient information using EHR technologies” (ASTM, 2014). Of particular note, the E31 standards include the continuity of care record (CCR) discussed further on in this chapter.

HL7 International HL7 International was founded in 1987. It is an ANSI-accredited SDO “dedicated to providing a comprehensive framework and related standards for the exchange, integration, sharing, and retrieval of electronic health information that supports clinical practice and the management, delivery and evaluation of health services” (HL7, n.d.). The HL7 standards related to interoperability and listed on its website as “Primary Standards,” or most used, include the following:

Version 2 and 3 HL7 messaging standards, interoperability specifications for health and medical transactions; these are the standards commonly referred to as HL7

Clinical Document Architecture (CDA), a document markup standard for clinical information exchange among providers based on version 3 of HL7

Continuity of Care Document (CCD), a joint effort with ASTM providing complete guidance for implementation of CDA in the United States

Clinical Context Object Workgroup (CCOW), interoperability standards for visually integrating applications “at the point of use”

These primary standards are not the only ones developed by HL7 International. The organization also publishes Functional EHR and PHR specifications; Arden Syntax, a markup language for sharing medical information; and GELLO, a query language for medical records. One of most promising of the HL7 International standards is Fast Healthcare Interoperability Resources (FHIR). FHIR is built on HL7 but is considered easier to implement because it uses web-based technologies (Ahier,

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

2015). Several of the HL7 standards, including FHIR, will be explained in greater detail further on in this chapter.

IHE Integrating the Healthcare Enterprise (IHE) has developed a series of profiles to guide health care documentation sharing. These profiles are not standards but rather include very specific guidance for how existing standards can be implemented to meet clinical needs (IHE, n.d.b). The current IHE profiles are organized as follows:

Anatomic Pathology

Cardiology

Eye Care

IT Infrastructure

Laboratory

Pathology and Laboratory Medicine

Patient Care Coordination

Patient Care Device

Pharmacy

Quality, Research, and Public Health

Radiation Oncology

Radiology

As an example, the IHE Patient Care Coordination Profile group includes twenty individual profiles, and each profile is further identified by its current implementation stage (IHE, n.d.a).

Health IT Standards The development and implementation of health care IT standards is complex and constantly evolving. The preceding sections of this chapter are intended to provide some insight into the processes of the organizations involved in standards development. The following sections examine examples of the actual standards. This is by no means an exhaustive list of health care IT standards but rather samplings of a few that are commonly used or significant in other ways.

Vocabulary and Terminology Standards

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

One of the most difficult problems in exchanging health care information and creating interoperable EHRs is coordinating the vast amount of health information that is generated in diverse locations for patients and populations. The vocabulary and terminology standards discussed in this section serve similar purposes—to create a common language that enables different information systems or vendor products to communicate unambiguously with one another. In a very simplified example, a standard vocabulary would ensure that the medical term myocardial infarction, for example, is mapped to the term heart attack and that both terms share exactly the same attributes. An effective standard vocabulary must also standardize the very complex hierarchy and syntax of the language used in the health industry. This is a complicated and detailed endeavor to say the least. So it is not surprising that, to date, no single vocabulary has emerged to meet all the information exchange needs of the health care sector.

The most widely recognized coding and classification systems—ICD, Current Procedural Terminology (CPT), and diagnosis related groups (DRGs)—were discussed in Chapter Two. Although these systems and the other coding systems discussed in this section do not meet the criteria for full clinical vocabularies, they are used to code diagnoses and procedures and are the basis for information retrieval in health care information systems. Most were originally developed to facilitate disease and procedure information retrieval, but they have been adopted to code for billing services as well. Several of the most commonly used classification systems are actually incorporated across more robust standard vocabularies such as SNOMED CT and UMLS.

The code sets required by HIPAA include the following:

HCPCS (ancillary services or procedures) (see Chapter Two)

CPT-4 (physicians procedures) (see Chapter Two)

CDT (dental terminology)

ICD-10 (see Chapter Two)

NDC (national drug codes)

The HITECH Meaningful Use final rule also includes ICD-10 as its classification standard.

The National Committee on Vital and Health Statistics (NCVHS) has the responsibility, under a HIPAA mandate, to recommend uniform data standards for patient medical record information (PMRI). Although no single vocabulary has been recognized by NCVHS as the standard, they have recommended the following as a core set of PMRI terminology standards:

Systematized Nomenclature of Medicine—Clinical Terms (SNOMED CT)

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

Logical Observation Identifiers Names and Codes (LOINC) laboratory subset Several federal drug terminologies, including RxNorm (NCVHS, 2003)

The HITECH Meaningful Use final rule and the ONC Advisory include these standards and the standard for clinical vaccines administered (CVX). In this section we will describe SNOMED CT, LOINC, CVX, and RxNorm, along with the National Library of Medicine's Unified Medical Language (UMLS) (of which RxNorm is one component), which has become the standard for bibliographical searches in health care and has the potential for other uses as well.

Code on Dental Procedures and Nomenclature The American Dental Association (ADA) publishes the CDT, Code on Dental Procedures and Nomenclature. This set of codes is designed to support accurate recording and reporting of dental treatments. The ADA strives to maintain an up-to- date set of codes that reflect actual practice (ADA, n.d.). The code set is divided into twelve sections, as follows (Washington Dental Service, 2012):

I. Diagnostic (D0000–D0999)

II. Preventative (D1000–D1999)

III. Restorative (D2000–D2999)

IV. Endodontics (D3000–D3999)

V. Periodontics (D4000–D4999)

VI. Prosthodontics (D5000–D5899)

VII. Maxillofacial prosthetics (D5900–D5999)

VIII. Implant services (D6000–D6199)

IX. Prosthodontics (D6200–D6999)

X. Oral and maxillofacial surgery (D7000–7999)

XI. Orthodontics (D8000–8999)

XII. General Services (D9000–D9999)

National Drug Codes The National Drug Code (NDC) is the universal product identifier for all human drugs. The Drug Listing Act of 1972 requires registered drug companies to provide the Food and Drug Administration (FDA) a current listing of all drugs “manufactured, prepared, propagated, compounded, or processed by it for commercial distribution” (FDA, 2016). The FDA, in turn, assigns the unique, three-segment NDC (listed as

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

package code in the following example) and maintains the information in the National Drug Code Directory. The NDC Directory is updated twice each month. Data maintained for each drug include up to sixteen fields. The information for the common over-the-counter drug Tylenol PM (Extra Strength), for example, is as follows:

Product NDC: 50580–176

Product Type Name: Human OTC Drug Proprietary Name: Tylenol PM (Extra Strength)

Non-proprietary Name: Acetaminophen and Diphenhydramine Hydrochloride

Dosage Formulation: Tablet, Coated Route Name: Oral

Start Marketing Date: 12–01–1991 End Marketing Date: <blank field>

Marketing Category Name: OTC Monograph Final Application Number: part338

Labeler Name: McNeil Consumer Healthcare Div. McNeil-PPC, Inc Substance Name: Acetaminophen; Diphenhydramine Hydrochloride Strength Number/Unit: 500 mg/1, 25 mg/1

Pharm Class: Histamine H1 Receptor Antagonists [MoA], Histamine-1 Receptor Antagonist [EPC]

Package Code: 50580–176–10

Package Description: 1 Bottle, Plastic in 1 Carton (50580–176–10) > 100 tablet, coated in 1 Bottle, Plastic

DEA classification: <blank> (US FDA, 2016)

Systematized Nomenclature of Medicine—Clinical Terms Systematized Nomenclature of Medicine—Clinical Terms (SNOMED CT) is a comprehensive clinical terminology developed specifically to facilitate the electronic storage and retrieval of detailed clinical information. It is the result of collaboration between the College of American Pathologists (CAP) and the United Kingdom's National Health Service (NHS). SNOMED CT merges CAP's SNOMED Reference Terminology, an older classification system used to group diseases, and the NHS's Clinical Terms Version 3 (also known as Read Codes), an established clinical terminology used in Great Britain and elsewhere. As a result, SNOMED CT is based on decades of research. As of April 2007 SNOMED is owned, maintained, and distributed by the International Health Terminology Standards Development Organization (IHTSDO), a nonprofit association based in Denmark. The National Library of Medicine is the US member of the IHTSDO and distributes SNOMED CT at no cost within the United States (IHTSDO, n.d.; NLM, 2016b).

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

Logical Observation Identifiers Names and Codes The Logical Observation Identifiers Names and Codes (LOINC) system was developed to facilitate the electronic transmission of laboratory results to hospitals, physicians, third-party payers, and other users of laboratory data. Initiated in 1994 by the Regenstrief Institute at Indiana University, LOINC provides a standard set of universal names and codes for identifying individual laboratory and clinical results. These standard codes enable users to merge clinical results from disparate sources (Regenstrief Institute, n.d.).

LOINC codes have a fixed length field of seven characters. Current codes range from three to seven characters long. There are six parts in the LOINC name structure: component/analyte, property, time aspect, system, scale type, and method. The syntax for a name follows this pattern (Case, 2011):

LOINC Code: Component: Property Measured: Timing: System: Scale: Method

Example 5193–8:Hepatitis B virus surface Ab: ACnc:Pt:Ser:Qn:EIA

Clinical Vaccines Administered The Centers for Disease Control and Prevention (CDC) National Center of Immunization and Respiratory Diseases (NCIRD) developed the Clinical Vaccines Administered (CVX) as standard codes and terminology for use with HL7 messaging standards. Table 11.2 is an excerpt from the full CVX table.

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

Table 11.2 Excerpt from CVX (clinical vaccines administered) Source: CDC (2016).

Short Description

Full Vaccine Name CVX Code

Status Last Date Updated

Notes

adenovirus types 4 and 7

adenovirus, type 4 and type 7, live, oral

143 Active 3/20/2011 This vaccine is administered as two tablets.

anthrax anthrax vaccine 24 Active 5/28/2010 BCG Bacillus Calmette-Guerin

vaccine 19 Active 5/28/2010

DTaP, IPV, Hib, HepB

Diphtheria and Tetanus Toxoids and Acellular Pertussis Absorbed, Inactivated Poliovirus, Haemophilus b Conjugate (Meningococcal Outer Membrane Protein Complex), and Hepatitis B (Recombinant) Vaccine

146 Pending 9/21/2015 Note that this vaccine is different from CVX 132.

influenza, seasonal, injectable

influenza, seasonal, injectable 141 Active 7/17/2013 This is one of two codes replacing CVX 15, which is being retired.

influenza, live, intranasal

influenza virus vaccine, live, attenuated, for intranasal use

111 Inactive 5/28/2010

RxNorm The National Library of Medicine (NLM) produces RxNorm, which serves two purposes: as “a normalized naming system for generic and brand name drugs and as a tool for supporting semantic interoperation between drug terminologies and pharmacy knowledge–based systems” (NLM, 2016a). The goal of RxNorm is to

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

enable disparate health information systems to communicate with one another in an unambiguous manner.

There are twelve separate RxNorm data files that are released on a monthly basis. The files show this information:

Drug names and unique identifiers

Relationships

Attributes

Semantic types

Data history (three files)

Obsolete data (three files)

Metadata (two files)

The following example from the first RxNorm data file represents the “concept,” Azithromycin 250 MG Oral Capsule, with the unique identifier 141962 (NLM, 2016a):

141962|ENG||||||944489|944489|141962||RXNORM|SCD|141962| Azithromycin 250 MG Oral Capsule||N||

Unified Medical Language System The NLM began the Unified Medical Language System (UMLS) project in 1986, and it is ongoing today. The purpose of the UMLS project is “to facilitate the development of computer systems that behave as if they ‘understand’ the meaning of the language of biomedicine and health. The UMLS provides data for system developers as well as search and report functions for less technical users” (NLM, 2016b).

The UMLS has three basic components, called knowledge sources:

UMLS Metathesaurus, which contains concepts from more than one hundred source vocabularies. All the common health information vocabularies, including SNOMED CT, ICD, and CPT, along with approximately one hundred other vocabularies, including RxNorm, are incorporated into the metathesaurus. The metathesaurus project's goal is to incorporate and map existing vocabularies into a single system.

UMLS Semantic Network, which defines 133 broad categories and dozens of relationships between categories for labeling the biomedical domain. The semantic network contains information about the categories (such as “Disease or Syndrome” and “Virus”) to which metathesaurus concepts are assigned. The semantic network also outlines the relationships among the categories (for

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

example, “Virus” causes “Disease or Syndrome”).

SPECIALIST Lexicon and Lexical Tools. The SPECIALIST lexicon is a dictionary of English words, common and biomedical, which exist to support natural language processing.

The UMLS products are widely used in NLM's own applications, such as PubMed, and they are available to other organizations free of charge, provided the users submit a license agreement (NLM, 2016b). Currently, components of UMLS are incorporated into other standards and profiles for health care IT interoperability.

Data Exchange and Messaging Standards The ability to exchange and integrate data among health care applications is critical to the success of any overall health care information system, whether an organizational, regional, or national level of integration is desired. Although there is some overlap, these standards differ from the vocabulary standards because their major purpose is to standardize the actual “messaging” between health care information systems. Messaging standards are key to interoperability. In this section we will look at a few of the standards that have been developed for this purpose. There are others, and new needs are continually being identified. However, the following groups of standards are recognized as important to the health care sector, and together they provide examples of broad standards addressing all types of applications and specific standards addressing one type of application:

Health Level Seven Messaging standards (HL7)

Digital Imaging and Communications in Medicine (DICOM)

National Council for Prescription Drug Programs (NCPDP)

ANSI ASC X12N standards Two other groups of standards discussed in this section actually combine some features of messaging standards and content standards:

Continuity of Care Document (CCD)

Fast Health Interoperability Resources (FHIR)

HIPAA specifically requires covered entities to comply with specific ANSI X12N and NCPCP. HITECH and the ONC Advisory also cite specific messaging standards and the CCD. FHIR is currently under development by HL7 International and is being cited by health care IT professionals as a major advancement toward true interoperability.

Health Level Seven Standards

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

Two versions of HL7 messaging standards, Version 2 and Version 3, are listed by HL7 International as “primary,” or commonly used. HL7 v2 remains popular in spite of the development of HL7 v3. HL7 v2 was first introduced in 1987 and has become the “workhorse of electronic data exchange” (HL7, n.d.). HL7 v3 incorporates the root elements of XML and, as such, is a significant change from early versions. See the HL7 Perspective for an example of HL7 v3.

Digital Imaging and Communications in Medicine Standards The growth of digital diagnostic imaging (such as CT scans and MRIs) gave rise to the need for a standard for the electronic transfer of these images between devices manufactured by different vendors. The American College of Radiology (ACR) and the National Electrical Manufacturers Association (NEMA) published the first standard, a precursor to the current Digital Imaging and Communications in Medicine (DICOM) standard, in 1985. The goals of DICOM are to “achieve compatibility and to improve workflow efficiency between imaging systems and other information systems in healthcare environments worldwide.” It is used by all of the major diagnostic medical imaging vendors, which translates to its use in nearly every medical profession that uses images (DICOM, 2016).

National Council for Prescription Drug Program Standards The National Council for Prescription Drug Programs (NCPDP), an ANSI-accredited SDO with more than 1,600 members representing the pharmacy services industry, has developed a set of standards for the electronic submission of third-party drug claims (NCPDP, 2012). These standards not only include the telecommunication standards and batch standards required by HIPAA but also the SCRIPT standard required for e-prescribing, among others. Of note, the SCRIPT standard currently incorporates the RxNorm as its standardized medication nomenclature. The NCPDP Provider Identification Number is a unique identifier of more than seventy-five thousand pharmacies. Table 11.3 presents excerpts from the NCPDP Data Dictionary, which outlines a few of the Transmission Header Segment requirements. The entire data dictionary table is more than seventy pages long (CMS, 2002).

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

Table 11.3 Excerpt from NCPDP data dictionary Source: CMS (2002).

NCPDP Data Dictionary Name

Field Number

NCPDP Definition of Field Version D.0 Format

Valid Values per the Standard

Service Provider ID Qualifier

202-B2 Code qualifying the Service Provider ID

X(02) Blank=Not Specified 01=National Provider Identifier (NPI) 02=Blue Cross 03=Blue Shield 04=Medicare 05=Medicaid 06=UPIN 07=NCPDP Provider ID 08=State License 09=Champus 10=Health Industry Number (HIN) 11=Federal Tax ID 12=Drug Enforcement Administration (DEA) 13=State Issued 14=Plan Specific 15=HCID (HC IDea) 99=Other

Service Provider ID

201-B1 ID assigned to pharmacy or provider

X(15) N/A

Date of Service

401-D1 Identifies the date the prescription was filled or professional service rendered or subsequent payer began coverage following Part A expiration in a long-term care setting only

9(08) Format=CCYYMMDD

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

Perspective HL7 Laboratory Results Use Case

The following object identifiers (OIDs) are used within the Good Health Hospital (GHH):

GHH Placer Order IDs: 2.16.840.1.113883.19.1122.14

GHH Lab Filler Order IDs: 2.16.840.1.113883.19.1122.4

The code system for the observation within the GHH is LOINC: 2.16.840.1.113883.6.1

The HL7 Confidentiality Code system: 2.16.840.1.113883.5.25

The HL7 v3 Message: Domain Content Excerpt The “Domain Content” starts with its own root element: observationEvent. The elements within specify the type of observation, the ID, the time of the observation, statusCode, and the results. The value for the actual result is shown in the value element. The interpretationCode element shows that the value has been interpreted as high (H), while referenceRange provides the normal values for this particular observation.

<id root=“2.16.840.1.113883.19.1122.4” extension=“1045813”

assigningAuthorityName=“GHH LAB Filler Orders”/>

<code code=“1554–5” codeSystemName=“LN” codeSystem=“2.16.840.1.113883.6.1”

displayName=“GLUCOSE^POST 12H CFST:MCNC:PT:SER/PLAS:QN”/>

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

</value>

</interpretationRange>

</referenceRange>

</assignedEntity>

</author> Source: Spronk (2007). http://www.ringholm.de/docs/04300_en.htm. Used under CC BY-SA 3.0, https://creativecommons.org/licenses/by-sa/3.0/. Used with permission.

ANSI ASC X12N Standards The ANSI Accredited Standards Committee (ASC) X12 develops standards in X12 and XML formats for the electronic exchange of business information. One ASC X12 subcommittee, X12N, has been specifically designated to deal with electronic data interchange (EDI) standards in the insurance industry, and this subcommittee has a special health care task group, known as TG2. According to the X12 TG2 website, “the purpose of the Health Care Task group shall be the development and maintenance of data standards (both national and international) which shall support the exchange of business information for health care administration. Health care data includes, but is not limited to, such business functions as eligibility, referrals and authorizations, claims, claim status, payment and remittance advice, and provider directories” (ASC X12, n.d.). To this end ASC X12N has developed a set of standards that are monitored and updated through ASC X12N work groups.

Table 11.4 lists the current X12 work group areas. A portion of the X12 5010 Professional Claim standard is shown in Exhibit 11.2. The standard for Professional Claim alone is more than ninety pages in length.

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

http://www.ringholm.de/docs/04300_en.htm

https://creativecommons.org/licenses/by-sa/3.0/

Table 11.4 X12 TG2 work groups Source: ASC X12 (n.d.).

Work Group Number Work Group Name WG1 Health Care Eligibility WG2 Health Care Claims WG3 Claim Payments WG4 Enrollments WG5 Claims Status WG9 Patient Information WG10 Health Care Services Review WG15 Provider Information WG20 Insurance—824 Implementation Guide WG21 Health Care Regulation Advisory/Collaboration

Exhibit 11.2 X12 5010 Professional Claim Standard

5010 Element Identifier

Description ID Min. Max.

Usage Reg.

Loop Loop Repeat

Values

837-P 5010 ISA INTERCHANGE

CONTROL HEADER 1 R ___ 1

ISA01 Authorization Information Qualifier

ID 2-2 R 00, 03

ISA02 Authorization Information

AN 10- 10

ISA03 Security Information Qualifier

ID 2-2 R 00, 01

ISA04 Security Information AN 10- 10

ISA05 Interchange ID Qualifier

ID 2-2 R 01, 14, 20, 27, 28, 29, 30, 33, ZZ

ISA06 Interchange Sender AN 15- R

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

ID 15 ISA07 Interchange ID

Qualifier ID 2-2 R 01, 14, 20,

27, 28, 29, 30, 33, ZZ

ISA08 Interchange Receiver ID

AN 15- 15

ISA09 Interchange Date DT 6-6 R YYMMDD ISA10 Interchange Time TM 4-4 R HHMM ISA11 Interchange Control

Standards ID 1-1 R

ISA12 Interchange Control Version Number

ID 5-5 R 00501

ISA13 Interchange Control Number

N0 9-9 R

ISA14 Acknowledgement Requested

ID 1-1 R 0, 1

ISA15 Usage Indicator ID 1-1 R P, T ISA16 Component Element

Separator AN 1-1 R

GS FUNCTIONAL GROUP HEADER

1 R ___ 1

GS01 Functional Identifier Code

ID 2-2 R

GS02 Application Sender Code

AN 2-15 R

GS03 Application Receiver Code

AN 2-15 R

GS04 Date DT 8-8 R CCYYMMDD GS05 Time TM 4-8 R HHMM GS06 Group Control

Number N0 1-9 R

GS07 Responsible Agency Code

ID 1-2 R X

GS08 Version Identifier Code

AN 1-12 R 005010X222

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

Source: ASC X12 (n.d.).

Continuity of Care Document (CCD) The Continuity of Care Document (CCD) is a standard for the electronic exchange of patient summary information, so-called transportable patient care information. The current CCD standard is actually a merger of two other standards: the HL7 Clinical Document Architecture (CDA) standard and the ASTM Continuity of Care Record (CCR). There has been some discussion among experts about the CCR and CCD being competing standards, but HL7 has taken the position that CCD is an implementation of CCR and simply an evolution of the CCR (Rouse, 2010). Although discussed in this section, the CCD standard is not solely a content standard; it includes elements of a data exchange standard. It has an XML-based specification for exchanging patient summary data, but it also includes a standard outline of the summary content. The content sections of the CCD include the following:

Payers

Advance Directives

Support

Functional Status

Problems

Family History

Social History

Allergies

Medications

Medical Equipment

Immunizations

Vital Signs

Results

Procedures

Encounters

Plan of Care (Dolin, 2011)

Fast Health Interoperability Resources (FHIR) Fast Health Interoperability Resources (FHIR) is currently being tested (as of this

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

text's publication date) by a range of health care IT professionals. So far, the testing has led to predominantly positive results, with many citing FHIR as having the potential to truly accelerate health care IT interoperability. The difference between FHIR and other standards is that it goes beyond the function of a traditional messaging system and includes modern web services to exchange clinical information. FHIR builds on the HL7 Clinical Document Architecture (CDA) and HL7 messaging, However, unlike CDA, FHIR enables granular pieces of information rather than an entire summary document to be shared (Ahier, 2015). According to Ahier (2015), FHIR offers easy-to-use tools not only to build faster and more efficient data exchange mechanisms but also to use personal health care information to create “innovative new apps” with the potential to create a “plug and play platform . . . similar to the Apple app store.”

Health Record Content and Functional Standards Health record content and functional standards are not the same as messaging or data exchange standards. These standards outline what should be included in an EHR or other clinical record. They do not include technical specifications but rather the EHR content requirements. As mentioned previously, the CCD and FHIR have content standards within them, along with messaging standards. HL7 EHR-S (Electronic Health Record-System) Functional Model is an example of a comprehensive EHR content and functional standard that does not include technical specifications.

HL7 EHR-S Functional Model The HL7 Health Record-System (EHR-S) Functional Model, Release 2 was published by Health Level Seven International in 2014. The purpose of this functional model is to outline important features and functions that should be contained in an EHR. Targeted users of the functional model include vendors and care providers, and it has been recognized by the ISO as an international standard (ISO 10781). The stated benefits of the functional model are as follows:

Provide an international standard for global use.

Enable a consistent framework for the development of profiles that are conformant to the base model.

Support the goal of interoperability.

Provide a standard that is easily readable and understandable to an “everyday person,” which enables a user to articulate his or her business requirements (HL7, 2014).

The EHR-S Functional Model is divided into seven sections:

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

1. Overarching (OV)

2. Care Provision (CP)

3. Care Provision Support (CPS)

4. Population Health Support (POP)

5. Administrative Support (AS)

6. Record Infrastructure (RI)

7. Trust Infrastructure (TI)

Each function within the model is identified by section and described by specific elements. Table 11.5 is an example of the function list for managing a problem list. Note: The list type indicates Header (H), Function (F), or Conformance Criteria (C).

Table 11.5 Excerpt from the HL7 EHR-S Functional Model Source: HL7 EHR-System Functional Model, Release 2. (2014). Retrieved September 6, 2016, from http://www.hl7.org/implement/standards/product_brief.cfm?product_id=269. Used with permission.

ID Type Name Statement Description Conformance Criteria

CP.1 H Manage Clinical History

Manage the patient's clinical history lists used to present summary or detailed information on patient health history.

Patient Clinical History lists are used to present succinct snapshots of critical health information including patient history, allergy intolerance and adverse reactions, medications, problems, strengths, immunizations, medical equipment/devices, and patient and family preferences.

CP.1.4 F Manage Problem List

Create and maintain patient- specific problem lists.

A problem list may include but is not limited to chronic conditions, diagnoses, or symptoms, injury/poisoning (both intentional and unintentional), adverse effects of medical care (e.g., drugs, surgical), functional limitations, visit or stay-specific conditions, diagnoses, or symptoms . . .

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

http://www.hl7.org/implement/standards/product_brief.cfm?product_id=269

CP.1.4 C 1. The system SHALL provide the ability to manage, as discrete data, all active problems associated with a patient.

CP.1.4 C 2. The system SHALL capture and render a history of all problems associated with a patient.

CP.1.4 C 3. The system SHALL provide the ability to manage relevant dates including the onset date and resolution date of problem.

Summary Multiple standard-setting organizations have roles in standards development, leading to a somewhat confusing array of current health care IT standards that address code sets, vocabularies and terminology, data exchange and messaging, and content and function. The standards developing organizations and standards discussed in this chapter, along with other general IT standards, enable health care information systems to be interoperable, portable, and to exchange data. The future of our health care system relies on having interoperable EHRs and other health care information systems. Clearly, this will not be realized without standards. The

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

government, as well as the private sector, is actively engaged in promoting the development of best practices for implementing health care IT standards. HIPAA and CMS, for example, have had a significant impact on the adoption of specific health care information standards that focus on code set, terminology, and transactions. The ONC is charged with coordinating the national efforts for achieving interoperability among health care information systems, which has led to their publication of the Interoperability Roadmap and annual Interoperability Standards Advisories. Both of these tools will likely have a significant impact on the direction of national standards development and cooperation among the many standards developing organizations.

Key Terms Accredited Standards Committee (ASC)

Ad hoc standards development process

American National Standards Institute (ANSI)

ASC X12N standards

ASTM International (ASTM)

CEN-CENELEC Management Centre (CCMC)

Clinical Context Object Workgroup (CCOW)

Clinical Document Architecture (CDA)

Clinical vaccines administered (CVX)

CMS e-prescribing

Code on Dental Procedures and Nomenclature (CDT)

Connecting Health Care for the Nation: A Shared Nationwide Interoperability Roadmap

Consensus standards development process

Continuity of Care Document (CCD)

Data exchange

De facto standards development process

Designated standard maintenance organizations (DSMOs)

Digital Imaging and Communication in Medicine (DICOM)

EHR content and functional standard

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

Electronic data interchange (EDI)

European Committee for Standardization (CEN)

Extensible markup language (XML)

Fast Healthcare Interoperability Resources (FHIR)

Government mandate standards development process

Health Level Seven International (HL7)

Health Insurance Portability and Accountability Act (HIPAA)

HL7 Health Record-System (EHR-S) Functional Model

HL7 messaging standards

Integrating the Healthcare Enterprise (IHE)

International Health Terminology SDO (IHTSDO)

International Organization for Standardization (ISO)

Interoperability

Interoperability Standards Advisory

Logical Observation Identifiers Names and Codes (LOINC)

National Council for Prescription Drug Programs (NCPDP)

National Drug Code (NDC)

Office of the National Coordinator for Health Information Technology (ONC)

RxNorm

SCRIPT Standard for e-Prescribing

SPECIALIST lexicon

Standards

Standards developing organizations (SDOs)

Standards Development Process

Systematized Nomenclature of Medicine—Clinical Terms (SNOMED CT)

UMLS Metathesaurus

UMLS Semantic Network

Unified Medical Language System (UMLS)

Vocabulary and terminology standards

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

Learning Activities 1. Standards development is a dynamic process. Select one or more of the

standards listed in this chapter and conduct an Internet search for information on that standard. Has the standard changed? What are the current issues concerning the standard?

2. Visit a hospital IT department and speak with a clinical analyst or other person who works with clinical applications. Investigate the standards that the hospital's applications use. Discuss any issues concerning use of these standards.

3. Visit the ONC website at HealthIT.gov. Identify the current efforts of the ONC to promote adoption of health care IT standards for interoperability. What impact do you believe these initiatives will have? Why?

4. As you reflect on the information from in this chapter and your own research, compare and contrast the intent of code set, vocabulary and terminology, data exchange, messaging, and content and functional health care IT standards. How are these types of standards different? How are they related? Are all needed for complete interoperability? Why or why not?

5. Some health care IT professionals believe that the technology currently exists for achieving interoperability among health care information systems, particularly EHRs. They contend that the remaining barriers are nontechnical. Do you agree with this sentiment? Why or why not? Support your answer.

References Accredited Standards Committee X12 (ASC X12). (n.d.). X12N/TG2: Health care purpose and scope. Retrieved September 6, 2016, from http://www.wpc- edi.com/onlyconnect/TG2.htm

Ahier, B. (2015, Jan. 6). FHIR and the future of interoperability. Retrieved November 10, 2016, from http://www.healthcareitnews.com/news/fhir-and-future-interoperability

American Dental Association (ADA). (n.d.). Code on dental procedures and nomenclature (CDT code). Retrieved September 7, 2016, from http://www.ada.org/en/publications/cdt/

American National Standards Institute (ANSI). (n.d.a). About ANSI. Retrieved September 7, 2016, from https://www.ansi.org/about_ansi/overview/overview.aspx? menuid=1

American National Standards Institute (ANSI). (n.d.b). Resources: Standards developing organizations (SDOs). Retrieved September 7, 2016, from

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

http://HealthIT.gov

http://www.wpc-edi.com/onlyconnect/TG2.htm

http://www.healthcareitnews.com/news/fhir-and-future-interoperability

http://www.ada.org/en/publications/cdt/

https://www.ansi.org/about_ansi/overview/overview.aspx?menuid=1

https://www.standardsportal.org/usa_en/resources/sdo.aspx

American National Standards Institute (ANSI). (n.d.c). Standards activities overview. Retrieved September 7, 2016, from https://www.ansi.org/standards_activities/overview/overview.aspx?menuid=3

ASTM International. (2014, Nov.). ASTM standards for healthcare services, products and technology. Retrieved September 5, 2016, from http://www.astm.org/ABOUT/images/Medical_sector.pdf

ASTM International. (n.d.a). ASTM video. Retrieved September 5, 2016, from https://www.astm.org/about-astm-corporate.html

ASTM International. (n.d.b). Standards & publications. Retrieved September 6, 2016, from https://www.astm.org/Standard/standards-and-publications.html

Boone, K. W. (2012a, April 9). Health IT standards 101. Retrieved September 7, 2016, from http://www.healthcareitnews.com/blog/health-it-standards-101

Boone, K. W. (2012b, March 26). An informatics model for HealthIT standards [Web log post]. Retrieved September 22, 2016, from http://motorcycleguy.blogspot.com/2012/03/informatics-model-for-healthit.html

Case, J. (2011). Using RELMA or . . . In search of the missing LOINC [PowerPoint]. Retrieved March 2012 from http://loinc.org/slideshows/lab-loinc-tutorial

CEN CENELEC. (n.d.). About us. Retrieved September 7, 2016, from http://www.cencenelec.eu/aboutus/Pages/default.aspx

Centers for Disease Control and Prevention (CDC). (2016, June 21). IIS: HL7 standard code set CVX—Vaccines administered. Vaccines and Immunizations. Retrieved September 6, 2016, from http://www2a.cdc.gov/vaccines/iis/iisstandards/vaccines.asp?rpt=cvx

Centers for Medicare and Medicaid (CMS). (2002). NCPDP flat file format. NCPDP reference manual. Retrieved September 6, 2016, from http://www.cms.gov/Medicare/Billing/ElectronicBillingEDITrans/downloads/NCPDPflatfile.pdf

Centers for Medicare and Medicaid (CMS). (2013, April 2). Adopted standard and transactions, adopted part D: E-prescribing standards. Retrieved September 5, 2016, from https://www.cms.gov/Medicare/E-Health/Eprescribing/Adopted-Standard- and-Transactions.html

Centers for Medicare and Medicaid (CMS). (2016a, June 23). Adopted standards and operating rules. Retrieved September 5, 2016, from https://www.cms.gov/Regulations-and-Guidance/Administrative-

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

https://www.standardsportal.org/usa_en/resources/sdo.aspx

https://www.ansi.org/standards_activities/overview/overview.aspx?menuid=3

http://www.astm.org/ABOUT/images/Medical_sector.pdf

https://www.astm.org/about-astm-corporate.html

https://www.astm.org/Standard/standards-and-publications.html

http://www.healthcareitnews.com/blog/health-it-standards-101

http://motorcycleguy.blogspot.com/2012/03/informatics-model-for-healthit.html

http://loinc.org/slideshows/lab-loinc-tutorial

http://www.cencenelec.eu/aboutus/Pages/default.aspx

http://www2a.cdc.gov/vaccines/iis/iisstandards/vaccines.asp?rpt=cvx

http://www.cms.gov/Medicare/Billing/ElectronicBillingEDITrans/downloads/NCPDPflatfile.pdf

https://www.cms.gov/Medicare/E-Health/Eprescribing/Adopted-Standard-and-Transactions.html

https://www.cms.gov/Regulations-and-Guidance/Administrative-Simplification/HIPAA-ACA/AdoptedStandardsandOperatingRules.html

Simplification/HIPAA-ACA/AdoptedStandardsandOperatingRules.html

Centers for Medicare and Medicaid (CMS). (2016b, June 21). Standards-setting and related organizations. Retrieved September 5, 2016, from https://www.cms.gov/Regulations-and-Guidance/Administrative- Simplification/HIPAA-ACA/StandardsSettingandRelatedOrganizations.html

Department of Health and Human Services (HHS). (2008). The ONC-coordinated federal health information technology strategic plan: 2008–2012. Retrieved August 2008 from http://www.hhs.gov/healthit/resources/HITStrategicPlanSummary.pdf

Department of Health and Human Services (HHS). (2012). About ONC. The Office of the National Coordinator for Health Information Technology. Retrieved March 2012 from http://healthit.hhs.gov/portal/server.pt/community/healthit_hhs_gov_onc/1200

DICOM. (2016). Strategic document. DICOM: Digital Imaging and Communications in Medicine. Retrieved September 6, 2016, from http://dicom.nema.org/dicom/geninfo/Strategy.pdf

Dolin, B. (2011). CDA and CCD for patient summaries. Retrieved November 10, 2016, from https://www.hl7.org/documentcenter/public_temp_143D9F91-1C23- BA17- 0C15A882DDE6815D/calendarofevents/himss/2012/CDA%20and%20CCD%20for%20Patient%20Summaries.pdf

European Committee for Standardization (CEN). (n.d.). CEN/TC 251: Health informatics. Retrieved September 7, 2016, from https://standards.cen.eu/dyn/www/f? p=204:29:0::::FSP_ORG_ID,FSP_LANG_ID:6232,25&cs=1FFF281A84075B985DD039F95A2CAB820#1

Food and Drug Administration (FDA). (2016, April 22). National drug code directory. Retrieved September 7, 2016, from http://www.fda.gov/Drugs/InformationOnDrugs/ucm142438.htm

Hammond, W., & Cimino, J. (2006). Standards in biomedical informatics. In E. Shortliff & J. Cimino (Eds.), Biomedical informatics (pp. 265–311). New York, NY: Springer-Verlag.

HealthIT.gov (2014). Meaningful use table series. Retrieved September 22, 2016, from https://www.healthit.gov/sites/default/files/meaningfulusetablesseries1_110112.pdf

HealthIT.gov. (n.d.). About ONC. Retrieved September 5, 2016, from https://www.healthit.gov/newsroom/about-onc

Health Level Seven International (HL7). (2014). HL7 EHR-System Functional Model, release 2. Retrieved September 6, 2016, from

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

https://www.cms.gov/Regulations-and-Guidance/Administrative-Simplification/HIPAA-ACA/StandardsSettingandRelatedOrganizations.html

http://www.hhs.gov/healthit/resources/HITStrategicPlanSummary.pdf

http://healthit.hhs.gov/portal/server.pt/community/healthit_hhs_gov_onc/1200

http://dicom.nema.org/dicom/geninfo/Strategy.pdf

https://www.hl7.org/documentcenter/public_temp_143D9F91-1C23-BA17-0C15A882DDE6815D/calendarofevents/himss/2012/CDA%20and%20CCD%20for%20Patient%20Summaries.pdf

https://standards.cen.eu/dyn/www/f?p=204:29:0::::FSP_ORG_ID,FSP_LANG_ID:6232,25&cs=1FFF281A84075B985DD039F95A2CAB820#1

http://www.fda.gov/Drugs/InformationOnDrugs/ucm142438.htm

http://HealthIT.gov

https://www.healthit.gov/sites/default/files/meaningfulusetablesseries1_110112.pdf

http://HealthIT.gov

https://www.healthit.gov/newsroom/about-onc

http://www.hl7.org/implement/standards/product_brief.cfm?product_id=269

Health Level Seven International (HL7). (n.d.). HL7 version 2 product suite. Retrieved September 6, 2016, from http://www.hl7.org/implement/standards/product_brief.cfm?product_id=185

Integrating the Healthcare Enterprise (IHE). (n.d.a.). IHE patient care coordination profiles. Retrieved November 10, 2016, from http://wiki.ihe.net/index.php/Profiles#IHE_Patient_Care_Coordination_Profiles

Integrating the Healthcare Enterprise (IHE). (n.d.b.). Profiles. Retrieved November 10, 2016, from https://www.ihe.net/Profiles/

International Health Terminology Standards Development Organization (IHTSDO). (n.d.). History of SNOMED CT. Retrieved September 7, 2016, from http://www.ihtsdo.org/snomed-ct/what-is-snomed-ct/history-of-snomed-ct

International Organization for Standardization (ISO). (n.d.). About ISO. Retrieved September 7, 2016, from http://www.iso.org/iso/home/about.htm

National Committee on Vital and Health Statistics (NCVHS). (2003, Nov. 5). Letter to the secretary: Recommendations for PMRI terminology standards. Retrieved March 2012 from http://www.ncvhs.hhs.gov/031105lt3.pdf

National Council for Prescription Drug Programs (NCPDP). (2012). About. Retrieved March 2012 from http://www.ncpdp.org/about.aspx

National Library of Medicine (NLM). (2016a, Jan. 4). RxNorm overview. Unified Medical Language System (UMLS). Retrieved September 6, 2016, from https://www.nlm.nih.gov/research/umls/rxnorm/overview.html

National Library of Medicine (NLM). (2016b, July 13). SNOMED CT. Retrieved September 7, 2016, from https://www.nlm.nih.gov/healthit/snomedct/

Office of the National Coordinator for Health Information Technology (ONC). (2015). Connecting health and care for the nation: A shared nationwide interoperability roadmap. Retrieved August 3, 2016, from https://www.healthit.gov/sites/default/files/nationwide-interoperability-roadmap-draft- version-1.0.pdf

Office of the National Coordinator for Health Information Technology (ONC). (2016). 2016 interoperability standards advisory: Best available standards and implementation specifications. Retrieved September 5, 2016, from https://www.healthit.gov/sites/default/files/2016-interoperability-standards-advisory- final-508.pdf

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

http://www.hl7.org/implement/standards/product_brief.cfm?product_id=269

http://www.hl7.org/implement/standards/product_brief.cfm?product_id=185

http://wiki.ihe.net/index.php/Profiles#IHE_Patient_Care_Coordination_Profiles

https://www.ihe.net/Profiles/

http://www.ihtsdo.org/snomed-ct/what-is-snomed-ct/history-of-snomed-ct

http://www.iso.org/iso/home/about.htm

http://www.ncvhs.hhs.gov/031105lt3.pdf

http://www.ncpdp.org/about.aspx

https://www.nlm.nih.gov/research/umls/rxnorm/overview.html

https://www.nlm.nih.gov/healthit/snomedct/

https://www.healthit.gov/sites/default/files/nationwide-interoperability-roadmap-draft-version-1.0.pdf

https://www.healthit.gov/sites/default/files/2016-interoperability-standards-advisory-final-508.pdf

Regenstrief Institute, Inc. (n.d.). About LOINC. Retrieved September 7, 2016, from https://loinc.org/background

Rouse, M. (2010, May). Continuity of care document. SearchHealthIT. Retrieved March 2012 from http://searchhealthit.techtarget.com/definition/Continuity-of-Care- Document-CCD

Spronk, R. (2007). HL7 message examples: Version 2 and version 3. Retrieved from http://www.ringholm.de/docs/04300_en.htm

United States Food & Drug Administration (US FDA). (2016). National drug code directory. Retrieved November 10, 2016, from http://www.fda.gov/Drugs/InformationOnDrugs/ucm142438.htm

Washington Dental Service. (2012). CDT procedure code information. Retrieved March 2012 from http://wwwldeltadentalwa.com/Dentist/Public/ResourceCenter/CDT%20Procedure%20Codes.aspx

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at