Bill Braithwaite: Beef Up HITECH Rules

The final version of regulations to carry out the HITECH Act must include far more details on privacy and security to ensure widespread adoption of electronic health records, says William R. Braithwaite, M.D., Ph.D.

In an interview, Braithwaite, widely known as "Dr. HIPAA" for his work in drafting the HIPAA administrative simplification provisions, says the Medicare and Medicaid EHR incentive program under HITECH will fail if clinicians and patients alike don't trust the security of the systems. He says:

  • Regulators should add much more specific guidelines for security to the "meaningful use" and EHR software certification rules.
  • The final version of the rules should enable hospitals and physicians to qualify for earning EHR incentives in phase one by achieving less demanding criteria.
  • Healthcare organizations must immediately gear up their privacy protection efforts in tandem with their efforts to phase in EHRs.

Braithwaite is now chief medical officer for Anakam Inc., a security technology company. He previously spent seven years as a senior adviser at the Department of Health and Human Services.

He was one of the authors of the administrative simplification provisions of the Health Insurance Portability and Accountability Act of 1996 and a major contributor to the subsequent regulations setting federal standards.

Braithwaite also formerly served as chief clinical officer for the eHealth Initiative and its foundation. He staffed the President's Information Technology Advisory Committee to help produce their June 2004 Report, "Revolutionizing Health Care Through Information Technology." He also previously served as national director of HIPAA advisory services at PricewaterhouseCoopers.

HOWARD ANDERSON: This is Howard Anderson, managing editor at Information Security Media Group. Today we are talking with Dr. Bill Braithwaite, chief medical officer for Anakam Inc. Dr. Braithwaite is widely known as "Dr. HIPAA" for his seven years as a senior advisor at the Department of Health and Human Services, when he played a major role in drafting the HIPPA administrative simplification provisions. Thanks so much for joining us today Dr. Braithwaite.

DR. BILL BRAITHWAITE: You are quite welcome.

ANDERSON: Dr. Braithwaite, based on your extensive experience writing regulations and then explaining how to comply, let's go over what you like and what you don't like about the pending regulations to carry out the HITECH Act. First of all, do you think the financial incentives for hospitals and physicians to use electronic health records are fundamentally a good idea and will prove successful in the long run?

DR. BRAITHWAITE: First of all it is important to understand what the intent is here, and only when you understand the intent can you get a sense for whether these incentives are a good idea or not. The problem is that we are still practicing medicine like we did 4,200 years ago. We are still putting the clinician decision maker and a patient in a room and they are both interacting from memory.

The complexity of the human physiology and the complexity of medical knowledge is to the point now where we can't do that anymore without hurting people accidentally. In fact, we have known for well over a decade that we are killing well over 100,000 people by accident, avoidable accidents, in hospitals every year. To me that is just unacceptable.

To fix this problem we need to put a whole package in place. We have to change the way we practice medicine. Clinical decisions, whether the decisions are made by a clinician decision maker or by a patient, those have to be supported with technology that starts off with an electronic health record system. The electronic health record system has to contain clinical decision support software, and that, in turn, has to be supported by computable health information exchange.

If you put those things together and allow the decision makers to make better decisions, we can save a lot of lives and save a lot of money. This requires a great deal of change in the way we practice medicine.

So we look back at the financial incentives you asked about and if you add up all of the numbers, what you end up with is the federal government reimbursing clinicians and hospitals for about what it costs to buy the electronic health record systems themselves. What is not reimbursed is the cost of the training required, the cost and hassle of change, that is the process reengineering that is necessary for the practice of medicine to take advantage of these things, and the learning time and lack of experience that will take a good deal of time for these things to come together.

It has been estimated that clinicians will lose about 50 percent of their productive time in their first year, after which, of course, they will become more productive and be able to see more patients. And once they see the patients they will be able to make better decisions, and they won't have to see the patients coming back because they won't make so many mistakes.

So the combination of these things is yes, the financial incentive is important, it is necessary; whether it is good enough will depend actually on how it gets implemented, I think, given all of these other barriers that are still in place and have to be pulled on before it is successful.

ANDERSON: Now HITECH doesn't mandate that anyone participate in the incentives, but those physician offices and hospitals that have not made meaningful use of record systems by the end of 2014 will see a series of escalating cuts in their reimbursements for treating Medicare patients kicking in during 2015. Do you think that is a powerful incentive?

DR. BRAITHWAITE: Well from my perspective it is a powerful incentive. You know we are paying for your computer software and hardware and if you don't implement it and prove to us that you have implemented in a way that is going to improve the outcome of your clinical decisions we are going to start decreasing the amount of money we pay you for what you do for Medicare and Medicaid patients.

I think that is pretty powerful. I think the question is not the power of it; it is the speed and the difficulty of doing this. I worry that although the amount of money is there, the incentives are there, that the demand for proof so quickly for so many things is going to force some people to give up. They are going to start retiring instead of going through all of this hassle. You can imagine the middle-aged to older physician saying, "oh my God I have got to not only install these computers but I have got to select them, I have got to buy them and I have got to spend a lot of time learning how to use them and then I have to prove to the federal government that I am using them in a certain way in order to get reimbursed for all of the money that I have put out for this."

I worry that this is going to be a disincentive if it is not done in a sort of clinician-friendly soft rollout so the incentives are there but the punishment isn't so bad that they kind of give up before they get to the point where they can practice with information technology at their side helping them to make better clinical decisions.

ANDERSON: So you agree with a lot of organizations that commented on the meaningful use rule that asked for the timeline for meeting the criteria to be a little less aggressive. How optimistic are you that regulators will take that advice to heart and change the timeline in light of all the comments they received?

DR. BRAITHWAITE: You know the regulators are under the influence of the law and the law lays these timelines down in black and white. It is going to be very, very difficult for them to change the timeline and I understand where it came from; healthcare has been very reluctant to change.

This is a point in time where we really have to change the way we practice medicine. We really have to integrate electronic health information technology right into the very core of how we practice medicine and how we make clinical decisions, and so having an aggressive timeline makes people pay attention. I think that is important.

But I also think that it has to be humanely applied and the regulators do have some flexibility in terms of saying, "Well by this point in time instead of saying you have to do 100 percent of this by this date or we are going to cut you off," you can say, "Alright you have got to have 50 percent of it done now and we will give you some slack and 80 percent done the next year" and sort of work it to the point where people can actually keep up with this aggressive timeline.

They might not be able to do it all as commanded by the law in the first year or two, but they can get enough done that they are clearly on the path. And once on the path it is going to be pretty hard to turn back and give it all up. Once they have had this computing support to their clinical decision making and they have solved a lot of the problems of getting these things implemented and integrated, they will scream bloody murder if you turn around and say, "well we are going to take it away."

So it is a matter of getting it in there in a way that allows people to adapt and get used to it so they continue to use it and to increase their use of it rather than giving up in a short period of time.

ANDERSON: The Healthcare Information and Management System Society and others have said that the "meaningful use" rule lacks sufficient detail on data security measures and privacy measures. Do you think that rule, as well as the rule on standards for certified EHRs, are too vague in general, especially when it comes to security and privacy?

DR. BRAITHWAITE: Definitely. I think they are way too vague. It is kind of strange in a way, as I said; this whole process of implementing meaningful use of information technology depends on the secure exchange of computable health information. This is the underpinning to the clinical decision support.

If patients won't allow their information to be exchange electronically and doctors won't contribute their information on patients electronically because they don't trust the system, because it is not being well-protected enough to preserve the confidentiality and integrity, the whole system is going to fall on its face. It is just not going to do what meaningful use is intended to do.

So we are in this situation, particularly with privacy and security, where we are gathering information and we are exchanging it electronically, which as anyone in the security field understands increases the risk that somebody is going to use it or disclose it inappropriately, which means you need stronger authentication of the users and you have to control the costs and the risks in this process of building stronger authentication and stronger security.

There are standards on the books from HITSB that have actually been adopted by the HHS secretary, and federal agencies are in fact required to follow these adopted standards. But those standards aren't the ones that were put into the interim final rule from the Office of the National Coordinator for Health IT. The rules left a lot of slack. It said, "okay you can do this or you can do that"...but they are so vague and so slack in terms of the requirements that people aren't sure what is going to happen. And if they are not sure what is going to be required they are not going to do anything. We learned that from HIPAA where, by law, you had to use a certain set of standards and people said, "No, show me the punishment, show where me I am going to lose if I don't do it; I'll pay the $100 fine rather than going through all the effort of implementing these new standards."

So I think they really are going to have to build a strong, more specific set of standards, particularly for privacy and security. The interim final rule that was published pointed out specifically that the capabilities of qualified electronic health records systems set the floor, but they didn't set the floor for the capabilities required for privacy and security. They referred back to these sort of general things, like, "Oh well, you need these certain kinds of encryption and you need certain kinds of authentication," but no specifics.

(There are many scenarios....) A clinician doing electronic prescribing for example, from within a medical environment where they are surrounded by other clinicians, they are in a controlled environment and people know who is supposed to have access to that machine and what they are supposed to be able to do with it.

That is different than when the doctor calls in from home; that is an unsecured location. Is this doctor really who he says he is? Is the doctor qualified to do this sort of prescribing electronically, and what do we do to make sure this remote access is truly being done by the person who is authorized to do this particular function? That requires strong, or second-factor authentication, which isn't anywhere in the rules as a requirement.

So people are just going to use username and passwords until the first time we have a major breach based on some hacker coming in remotely or stealing a password or stealing a laptop and finding the passwords attached to it on a sticky note. Those kinds of things have to be dealt with up front or we are going to have a major problem. And if we lose the trust of the clinicians and the patients, again, meaningful use is not going to go forward very quickly.

ANDERSON: Well based on your HIPAA experience, are you optimistic that the regulators will indeed continue to fine-tune and add details to these final HITECH regulations, which are due out toward the end of spring?

DR. BRAITHWAITE: I have no doubt that they will. I think that they've gotten a lot of feedback about what was missing and what was too vague and what they should be doing about it, but I worry that the federal government takes a very long time to change these kinds of things and come up with specificity in their rulemaking.

Part of the problem is that they don't want to be seen as partial to a particular vendor or subset of vendors. They have spent a lot of time writing standards and rules and regulations in such a way that the architecture of how the nationwide health information network is to be implemented, for example, is architecturally neutral.

They just are not making the kinds of decisions that make people feel confident that they can go ahead and build the systems using the technology and the standards that have been adopted so that they will not fail and they will be able to communicate with other people cost-effectively and securely.

It is not the same as setting regulations for independent vendors to build a product. These are products that have to interact securely and they have to use the same mechanisms for connectivity, for security, and for authentication, or the whole system won't work.

So I think they need to get a lot more specific about these rules, and I worry that the federal government isn't going to be able to make the hard decisions necessary to put the rules into place in such a way that supports secure interoperability and is able to be implemented quickly and cost-effectively by the vendors that are out there.

ANDERSON: In the meantime, what advice would you offer hospitals and clinics preparing to participate in the EHR incentive program regarding the kinds of factors they should be considering now to make sure the clinical data they are moving online will stay secure?

DR. BRAITHWAITE: Well I think the first message is if you haven't started already, you need to start yesterday. It is a long and difficult process. You have to learn about what data you have, what data you need, what information systems you have, what information systems are out there, and what kinds of budgets you can afford even given your expectation that it will be reimbursed by Medicare and Medicaid. This is a long and difficult and arduous process. It has to be started now or you will be way behind. So that is obviously the first thing.

The second thing is think about the vision, the goal, that this is not another system that you implement and the doctor scribbles a note for the nurse and the nurse does it or they scribble a note to the lab and the lab does it. This is something that won't work unless the doctor does it. It won't work unless the patient does it. You have got to provide direct access to the decision makers in the process of making those decisions, fully supporting those decisions, or it is going to fail. Its purpose is to be there for the decision maker, and if you implement it in such a way that the decision maker is isolated from that interaction, then it is not going to work.

So think about that and seriously look at what sorts of process reengineering and education is going to be necessary for whatever system you end up buying and implementing to make this rather dramatic change in the way medicine is practiced.

I think if you have that sort of larger view of the vision and you start from the vision and work down as you work from the bottom up gathering information about what data is necessary and what information systems are available to meet the needs of your particular institution that you will be closer to success than any other method.

ANDERSON: Thanks Dr. Braithwaite. We have been speaking today with Dr. Bill Braithwaite of Anakam. This is Howard Anderson of Information Security Media Group.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.