HIMSS18: What We Learned in Vegas Doesn’t Have to Stay in Vegas

AHLA PG Bulletin

Authored Article, Client Alert



Google Keynote

Complex. Hard.  Humbling.  These are the descriptors former Google CEO Eric Schmidt used last week at the HIMSS 2018 Annual Conference in Las Vegas to describe the work to be done in health information technology (HIT).  Schmidt provided a provocative look at HIT infrastructure, innovation, and the new industry darling, artificial intelligence (AI).  Schmidt chastised institutional providers focused on proprietary data centers instead of cloud-based platforms for security and HIPAA compliance.  He touted the usage of search processes for big data and machine learning by providing real-life examples of each and compared predictive analytic applications to new drug development in terms of life-saving potential.  In a sobering segment, Schmidt noted how AI may challenge how we humans think about risks and liability in healthcare.  He advocated using the computer with predictive algorithms as a data source, but keeping clinicians firmly in the decision-making loop, especially under circumstances when computer errors cannot be explained.  Schmidt closed with a call to the industry for interoperability to generate and share the vast amounts of clinical data needed for these new applications.

Office for Civil Rights (OCR) Update

The U.S. Department of Health and Human Services (HHS) OCR presented a HIPAA compliance and enforcement update. Director Roger Severino and Privacy & Security Specialist Nicholas Heesters primarily focused on recent enforcement statistics and cases, changes to the breach reporting website and current breach statistics, and OCR’s technical assistance efforts. The session did not address the status of the audit program or include information on potential upcoming policy changes or guidance.

With respect to enforcement, OCR highlighted the enforcement cases that it brought since HIMSS17, focusing on the significant increase in collected resolution amounts and penalties in 2016 and 2017, and emphasized that such enforcement will continue. For example, OCR collected over $23 million in resolution amounts and penalties in 2016 and almost $20 million in 2017, while no prior year included more than $10 million in collections. Severino walked through some of the most recent enforcement actions and potential takeaways, such as the importance of properly disposing of information and not impermissibly sharing health information with the media. OCR emphasized the importance of health information, and that it should be treated like gold and properly secured.

For breach notification, Severino discussed changes to the breach website to move older breach reports to an archive. He discussed some statistics, such as the increase in incidents due to hacking, the continued prevalence of incidents due to theft of information, and that paper records continue to represent approximately 21% of large breaches. OCR indicated that large breaches have affected over 177 million individuals.

OCR also focused on its technical assistance efforts, including the Health IT Developer Portal, cyber security guidance materials, its ransomware guidance, and cybersecurity newsletters.

In response to questions, Severino touched on policy a little, indicating that OCR is considering ways to reduce administrative burden. He also responded to a question about texting, indicating that texting should be treated like e-mail, and that because HIPAA is patient centric, a patient can opt in to receiving protected health information through unsecure texts.

OCR did not focus on any upcoming regulations or guidance, but the HHS regulatory agenda from Fall 2017 identifies a number of efforts: changes to the requirement for health care providers to obtain acknowledgment of receipt of the notice of privacy practices; clarification that health care providers are presumed to be acting in the individual’s best interest when sharing information with an incapacitated patient’s family members; withdrawal of the prior proposed accounting of disclosures rule and a new advance notice of proposed rulemaking, and an advance notice of rulemaking regarding distribution of penalties and monetary settlements to harmed individuals.

OCR did not discuss audits in the session, but in an interview afterwards with HealthcareInfoSecurity.com, Severino indicated that there will not be a “phase three audit program” other than compiling findings from phase two.

Centers for Medicare and Medicaid Services (CMS) Initiatives

CMS Administrator Seema Verma captured applause from the crowd when she promised a complete overhaul of the CMS Meaningful Use EHR Incentive Program.  Now that Congress has removed the statutory requirement that EHR incentive programs become increasingly more stringent, look for changes in upcoming hospital and physician payment rules to streamline future stages.  Verma promised that CMS will be dedicated to providing patients with tools to gain access and control over their health data, focusing on health plan responsibilities to provide patients their electronic health data and provider attestations to avoid information blocking.  As with other CMS officials at the conference, Verma referenced the need for “Patients over Paperwork” and the “kill the fax” movement to reduce reliance on the faxing of clinical documents among providers and health plans in favor of recent changes permitting providers to use structured data formats from EHRs when responding to CMS audit contractors. 

Office of National Coordinator for Health Information Technology (ONC) and Cures Activities

ONC’s Elise Sweeney Anthony, the Director of its Office of Policy, and Steven Posnack, the Director of its Office of Standards and Technology, presented a policy and technology update.

Sweeney discussed the role of the health IT certification program, the model privacy notice for health IT applications, the development of the Patient Unified Lookup System for Emergencies (PULSE), the Patient Demographic Data Quality Framework, and educational modules for health IT adoption for behavioral health, long-term, and post-acute care providers. She then walked through the sections of the 21st Century Cures Act related to health information technology and ONC’s efforts with respect to implementing each section. This included the release of the draft Trusted Exchange Framework and Common Agreement (TEFCA) and rulemaking to implement the prohibition on information blocking.

Posnack provided additional information regarding the health IT certification program, ONC’s Interoperability Proving Ground and C-CDA Scorecard, and the process for implementing and revising the United States Core Data for Interoperability.

HHS Office of Inspector General (OIG) and the US. Department of Justice (DOJ) Fraud and Abuse Expansion to Vendors

James Cannatti, OIG’s Senior Counselor for Health IT, and Owen Foster, Assistant U.S. Attorney from the District of Vermont, provided a fraud and abuse primer for the health IT industry.  Foster discussed the whistleblower case brought in his district leading to the $155M false claims act settlement the DOJ entered last summer with eClinicalWorks (ECW).  The settlement agreement resolved allegations that the EHR vendor caused providers to falsely attest to using a certified EHR and to report inaccurate meaningful use information to CMS. The federal government had intervened and further alleged that referral payments to ECW users for recommending its products violated the federal Anti-kickback Statute.  Cannatti and Foster also discussed both provider and individual false claim cases relating to the falsification of hospital attestations on federal EHR incentive programs.

Workshops and the Exhibit Halls

Hal Wolf welcomed attendees to his first annual conference as HIMSS CEO and provided several fireside chats throughout the meeting. Wolf brought an optimistic perspective on the pace of change, but noted the complexities of achieving interoperability. During the conference, HIMSS released its annual cybersecurity survey, noting the current hacking and insider threats (most often through email phishing attacks) and reviewing risk management activities resulting from security risk assessments. Medical device safety continues to be a risk, although the survey outlines cybersecurity staffing shortages and financial barriers facing organizations.

The drive for innovation was a key theme throughout the workshops and the exhibit halls.  Speakers often referenced recent industry entrants Amazon, Uber, and Apple and the expected disruption throughout the healthcare industry.  EHR vendors announced embedded virtual assistants to assist physicians with workflow, and the exhibit hall was filled with use cases and demos for telehealth, AI, and voice applications to improve data retrieval and work flow.  Cybersecurity, clinical documentation improvement, and population health management went mainstream while precision medicine is emerging and the potential for blockchain to manage health information and supply chain management appears on the horizon.

Republished with permission. This article first appeared in the AHLA's PG Bulletin on March 16, 2018.