Home » News » Currently Reading:

Pretzel Logic: Stage 1’s Nasty Little Surprises 5/5/11

May 5, 2011 News 14 Comments

Meaningful Use attestation began on April 18, which means that there is now some field experience on how to meet Meaningful Use Stage 1 requirements. I polled my staff to see what we’ve learned through the process. Which requirements seem to be the hardest? What are the best ways to meet those requirements?

The findings, though obviously not statistically meaningful in any way, were quite interesting and instructive (well, interesting at least to that perverse sliver of humanity who find health IT and Meaningful Use interesting enough to write and read about it).

Looking at the Core Requirements, the most difficult requirements seem to be (in order of difficulty):

Capability to exchange key clinical information. The biggest difficulty with this objective seems to be figuring out what the heck it means. What are “different legal entities?” What are “distinct certified EHR technologies?” What is “key clinical information?” What does it mean to “electronically exchange” key clinical information?

There are some answers available at CMS, but health care delivery is too complex, and the FAQs a tad too vague, to be really useful in many if not most circumstances.

One large source of confusion with this requirement is whether it requires some kind of connection to a Health Information Exchange. The answer is a resounding NO. Indeed, meeting the requirement doesn’t seem to require an electronic connection to another practice at all. All it requires is that a valid clinical summary CCD/c32 be generated from one certified system, and that an attempt be made to upload it into another distinct certified system.

Thus it would be perfectly acceptable to create the file using your certified EHR system, encrypt it (using a cheap and easily available commercial utility like WinZip, for example), pass the file to another practice on a CD or a thumb drive or even using commercial e-mail (like Gmail or Yahoo), and ask them to try to upload it into their system.

Doesn’t have to be through an organized HIE activity. Doesn’t have to be structured data. Doesn’t have to be transported electronically, since ONC somehow decided not to create any standards for that. Doesn’t even have to be successfully uploaded by the receiving practice! It’s like testing my high school son’s ability to show up for the SAT exam on time and with a number 2 pencil, rather than his ability to actually answer the questions on the test. (He’d be thrilled!)

If you are part of an organized HIE activity (like the New England Health Exchange Network, for example), you can transport your test file electronically. And some EHR vendors are helping their customers meet this requirement by matching up different customers with each other and facilitating transport through their own proprietary exchange infrastructure.

For example, eClinicalWorks, Medent, and Epic provide this service to their customers. But if you don’t happen to have such options, you can go just do it the old-fashioned way described above, and maybe even make it a little fun. “Hey Dr. Jayne, bring your flash drive on Wednesday morning and we’ll take care of MU before our tee time.”

Protect Health Information. This objective requires that the practice implement “appropriate technical capabilities” to protect health information and validate that they have done so by “conducting or reviewing a security risk analysis” of their internal capabilities. We’ve found that most providers generally know what the privacy and security rules are, but they’re shockingly unfamiliar with the details and they probably don’t know the severity of the punishments for violating such rules. Obviously, knowing the penalties should make people focus on the rules, but no one thinks it’s going to happen to them, so they put it on the back burner, if it’s on the stove at all.

You don’t have to be Sony to get seriously whacked by the long arm of the law. If you have some kind of breach and are determined by federal authorities to be “cavalier” toward protection of health information, for example, you could face a $250K fine, and up to $1.5M if you seem to be repeatedly “cavalier.” If you lose track of information on over 500 individuals (by having a laptop stolen, for example), you could be required to issue a press release to media outlets in your area and have your practice name listed on a federal Web site, in addition to any fines you might face.

And that’s just the federal requirements. Some states, like my own state of Massachusetts, have equally strict laws that correlate with, but don’t exactly match, federal rules.

This requirement is deceptive because it leads one to believe that protecting health information is just a technical issue, when any privacy/security professional would say that it’s mostly policy, procedure, and attitude. Because this requirement is so vague and so focused on technical capabilities, there is a risk that an EP merely checking the box on this one could be lulled into thinking that they’ve adequately addressed federal and state privacy and security rules when they might not even be close.

The best way to address this requirement is to hire a well-respected third party security audit firm. If you don’t know where to find one of those, your hospital or a large practice in your area would almost certainly be able to point in the right direction. Your IT vendor may say that they can provide this service, but be careful — some will only focus on technical issues like firewalls and will give scant attention or completely ignore the policies and training that you and your staff need to really meet the letter and the spirit of the law.

And in no circumstance should you rely on your EHR vendor for this. They’ll be highly unlikely to have the holistic view of your operations necessary to protecting you and your patients. And as much as it hurts, it might be worth paying you lawyer for a short chat about your legal exposure in this brave new world.

Provide patients with an electronic copy of their health information, and Provide clinical summaries for patients for each office visit. I lumped two objectives together here because both of them involve providing information to patients, which makes them incredibly important because they are customer-facing and directly embedded in day-to-day and visit-to-visit workflow.

The general difficulties practices have with these requirements are: What information am I supposed to provide? Do I really have to provide in any way that they want? And how long do I have to provide it?

In terms of what to provide, the requirement itself is a long list that seems fairly innocuous on the face of it, but has a few undefined oddities, like “recommended patient decision aids.” The harder part is that the EHR certification requirements don’t match exactly with what’s supposed to be included in the patient information, so any hope of automating this process in your office could get seriously bollixed up (a technical term) if the information you’re supposed to give to patients isn’t what the software spits out.

The other barrier we’ve experienced is that, as much love as we have for patients, they aren’t always as well behaved as we might like. So terms that say “per patient preference” can start to get complicated if it means that some patients want it on paper, others ask for it in a patient portal, others want it in their PHR, still others want it on a CD, and the rest want it on a thumb drive (the latter being patient-provided and possibly virus-laden and unencrypted, of course). And that just covers the reasonable options.

The reality so far is that the electronic information requirement is manageable because few patients are requesting the information and, I suspect, few providers are pushing it. The clinical summary information is a little easier because most EHRs do create some kind of post-visit summary, which is maybe probably mostly hopefully compliant with what the objective requires … or close enough for government work, anyway.

All of this isn’t to suggest that the other requirements are a walk in the rose garden (quality measures, for example, are like a whole new set of requirements). These are just the ones that we’ve found particularly troubling for those pioneering physicians who are attesting now.

I haven’t yet talked about the Menu set, which is a minefield onto itself. And whether meeting all these requirements is actually getting us to a world of better and more affordable health care is an even bigger issue that I won’t even try to tackle here. Gotta save something for future entries …

micky tripathi

Micky Tripathi is president and CEO of the Massachusetts eHealth Collaborative. The views expressed are his own.

Comments 14
  • This review was very helpful. The problem with the clinical summaries requirement is 1) now we are forced to go back to paper — printing out the clinical summaries, and 2) most EMRs don’t print well, they format a report to print out on multiple sheets of paper, when if done correctly, it could have all appeared on one page.
    I have also encountered physicians who are dead-set against giving clinical summaries because they fear how patients and families will interpret the information.

  • Very helpful! Please keep it coming!!

  • Entertaining review and insights— keep up the great work! Stage 1 electronic exchange leaves a lot of room for interpretation but I think the spirit is clear. Hopefully more clarity to come on stage 2 and stage 3.

    Would like to read your thoughts on reasons why to exchange beyond MU since ONC used stimulus dollars to not only encourage EHR adoption but hopefully to stimulate a better path for achieving desirable clinical and economic outcomes.

    Adding Micky Tripathi to the HIStalk crew is further evidence of why HIStalk is one of the most worthwhile reads on the web.

  • Micky

    “…getting US to…more affordable health care…”
    as long as the computer and telecomm companies are involved, the cost will never decrease…don’t ever even try to reduce a budget!

  • Touche!!!!!! Great summary balanced with humor and insight… I am passing this on to all the members of our team struggling with these very issues…

  • Micki – Thanks for your article and your work in HIT.

    We have gone around and around trying to get a clear answer as to whether CDs, tumb drivers, emails are acceptable means of “exchanging key clinical information.” Our conclusion, as is the CoP MU Burning Issues workgroup, is “electronic transmission” is required, not removable media. Key words in the definition of “exchange” for us is “sent” and ” not the capabilities of uncertified or other vendor-specific alternative methods for exchanging clinical information.”

    From CMS document: “Exchange – Clinical information must be sent between different legal entities with distinct certified EHR technology and not between organizations that share a certified EHR technology. Distinct certified EHR technologies are those that can achieve certification and operate independently of other certified EHR technologies. The exchange of information requires that the eligible professional must use the standards of certified EHR technology as specified by the Office of the National Coordinator for Health IT, not the capabilities of uncertified or other vendor-specific alternative methods for exchanging clinical information.”

    If you have a clear, unambiguous statement from CMS, I would welcome seeing it.

  • Hi Paul,

    Thanks for your message. I am not aware of a statement by CMS on this, though I and many others have asked and have made them aware of the market confusion on this issue. I have confirmed my interpretation above with a number of national organizations and leaders, including members of the HIT Standards and Policy Committees. In addition, a number of RECs have promulgated the above interpretation as policy in their own activities.

    I would point specifically to a phrase that you quote — “…must use the standards of certified EHR technology as specified by ONC…”. Since ONC deliberately did not approve any certification standards for transport of key clinical information, this requirement as written cannot be said to specify anything about transport.

    This is no doubt an unintended consequence, but without further guidance from CMS, it’s hard to figure out where to draw the line on the term “electronic”. Does efaxing count? Does email? Seems to me that if CMS is going to allow “out-of-band” transport (ie, not certifiably integrated or interfaced into an EHR in some way), it’s hard to meaningfully draw the line among those options.

    Anyway, that’s my interpretation as well as the interpretation of many other policy and industry experts. I think the bottom line is that we all would welcome definitive guidance from CMS on this question!

    Thanks again for your message!


  • Micky – I may have misunderstood which core measure you are talking about: Core #12 Provide patients with an electronic copy or
    Core #14 Exchange of Key Clinical Information or both?
    Thanks, Paul

  • Hi Paul,

    My response to your message was regarding Core #14.


  • Micky,

    As others have said: excellent stuff – keep it coming (& if your HIStalk walk-on-water colleagues want to jump in re: MU ambiguity also, that would even better.) Do I have this right – ONC has published only 148 FAQ’s? Wonder if they can tell us how many inquiries they’ve received? – must be in the many of 10,000’s (I’ve probably sent 20 inquiries myself).

    Do you (or readers) have thoughts on this question: CSC and others are evidencing that you need physician documentation to do many of the EH quality measures (for example, why a doctor did not complete a quality protocol – ie, an exclusion)… most hospitals don’t have a physician documentation system, so what should they do?

    And other readers, can you chime in with ambiguity you see in the rules (just so I don’t feel so alone? :)…

    Thanks again, Micky & glad to have you as another star on the HIStalk team…

  • The other sleeper for clinical summary is “all lab results received within 24 hours”, which means many clinical summaries can’t be given out until after the lab results are back and the patient is no longer in the office. This will require either sending a letter ($ for postage), secure e-mail, or a patient portal (even more $).

    We’re also hearing of clinics having trouble with the demographics section. Initially I was surprised by this, but its harder than you might think to get the front desk asking and recording everyone’s race, ethnicity, and language preference.


  • Re: MU Slave. As far as I can tell, CMS has posted 148 responses to questions — no idea how many questions (or more relevant, unique questions) they’ve gotten but I agree, it’s got to be in the thousands. The CSC report referred to on quality measurement can be found here: http://www.csc.com/health_services/insights/51442-hospital_quality_reporting_the_hidden_requirements_in_meaningful_use . A good read. I’ll dive into quality measures in a future post.

    Re: Bob. Agree on both points — we’ve found the same. Channel management is going to be a growing problem for providers who will now have to start thinking about what information needs to get to which patients in what format and in what timeline. That’s not necessarily a bad thing because health care customer service could use a good kick-in-the-pants, but many practices aren’t set up to handle this type of complexity and their reimbursements (beyond the one-time MU incentives) don’t cover the added costs, so there are many valid reasons that this could take longer than the Feds think it will.

    Many practices (and/or individuals in practices) find it uncomfortable to ask about REL. Somewhat ironic since they’re often dealing with information much more intimate than that. I suspect that they might be meeting some resistance from patients who (rightly) suspect that this information isn’t primarily being collected for their immediate care but rather for higher level purposes — population/public health if you’re not paranoid, big brother government if you are.

    Would love to hear others’ experiences with all of this! Thanks for all the great comments!

  • Finally, finally….. CMS weights in on core measurement #14 with what I think is a definitive answer –

    [EHR Incentive Program] For the meaningful use objective of “capability to exchange key clinical information”…..

    Published 05/17/2011 11:25 AM | Updated 05/18/2011 02:09 PM | Answer ID 10638

    For the meaningful use objective of “capability to exchange key clinical information” for the Medicare and Medicaid Electronic Health Record (EHR) Incentive Programs, does exchange of electronic information using physical media, such as USB, CD-ROM, or other formats, meet the measure of this objective?
    No, the use of physical media such as a CD-ROM, a USB or hard drive, or other formats to exchange key clinical information would not utilize the certification capability of certified EHR technology to electronically transmit the information, and therefore would not meet the measure of this objective.
    For the purposes of the “capability to exchange key clinical information” measure, exchange is defined as electronic transmission and acceptance of key clinical information using the capabilities and standards of certified EHR technology (as specified at 45 CFR 170.304(i) for EPs and 45 CFR 170.306(f) for eligible hospitals and CAHs). We expect that this information would be exchanged in structured electronic format when available (e.g., drug or clinical lab data); however, where the information is available only in unstructured electronic formats (e.g., free text or scanned images), the exchange of unstructured information would satisfy this measure. For more information about electronic exchange of key clinical information, please refer to the following FAQ: http://questions.cms.hhs.gov/app/answers/detail/a_id/10270/kw/10270.
    Please note that this objective is distinct from objectives such as “provide a summary of care record for each transition of care,” where electronic exchange of the summary of care record is not a requirement but an option. To satisfy the measure of the “provide a summary of care record for each transition of care” objective, a provider is permitted to send an electronic or paper copy of the summary care record directly to the next provider or can provide it to the patient to deliver. In this case, the use of physical media such as a CD-ROM, a USB or hard drive, or other formats could satisfy the measure of this objective.

  • Hooray! There are still some anomalies but it does clearly rule out “physical media.” Best advice then would be to use some type of “network” for transport — whether it’s secure email, FTP, a secure website, or an HIE service (proprietary or otherwise).

Leave a comment



This site uses Akismet to reduce spam. Learn how your comment data is processed.

Platinum Sponsors




Gold Sponsors


Subscribe to Updates

Search All HIStalk Sites

Recent Comments

  1. Re: Walmart Health: Just had a great dental visit this morning, which was preceded by helpful reminders from Epic, and…

  2. NextGen announcement on Rusty makes me wonder why he was asked to leave abruptly. Knowing him, I can think of…

  3. "New Haven, CT-based medical billing and patient communications startup Inbox Health..." What you're literally saying here is that the firm…

  4. RE: Josephine County Public Health department in Oregon administer COVID-19 vaccines to fellow stranded motorists. "Hey, you guys over there…

  5. United is regularly referred to as "The Evil Empire" in the independent pediatric space (where I live). They are the…

RSS Industry Events

  • An error has occurred, which probably means the feed is down. Try again later.