HIMSS Stages
HIMSS Analytics website http://www.himssanalytics.org says they support improved decision making for healthcare organizations, healthcare IT companies and consulting firms by delivering high quality data and analytical expertise.
They have created this EMR Adoption Model (there is another model for Canadian hospitals and have recently released a version for the Ambulatory setting). They think if the hospitals go through these 8 stages they will have a “complete” EMR and participation from staff at their facilities and be a completely paperless environment.
The following steps are taken from the whitepaper which is located at: http://www.himssanalytics.org/docs/HA_EMRAM_Overview_ENG.pdf and is each step to becoming a paperless environment.
Stage 0: The organization has not installed all of the three key ancillary department systems (laboratory, pharmacy, and radiology).
Stage 1: All three major ancillary clinical systems are installed (i.e., pharmacy, laboratory, and radiology).
Stage 2: Major ancillary clinical systems feed data to a clinical data repository (CDR) that provides physician access for reviewing all orders and results. The CDR contains a controlled medical vocabulary, and the clinical decision support/rules engine (CDS) for rudimentary conflict checking. Information from document imaging systems may be linked to the CDR at this stage. The hospital may be health information exchange (HIE) capable at this stage and can share whatever information it has in the CDR with other patient care stakeholders.
Stage 3: Nursing/clinical documentation (e.g. vital signs, flow sheets, nursing notes, eMAR is required and is implemented and integrated with the CDR for at least one inpatient service in the hospital; care plan charting is scored with extra points. The Electronic Medication Administration Record application (EMAR) is implemented. The first level of clinical decision support is implemented to conduct error checking with order entry (i.e., drug/drug, drug/ food, drug/lab conflict checking normally found in the pharmacy information system). Medical image access from picture archive and communication systems (PACS) is available for access by physicians outside the Radiology department via the organization’s intranet.
Stage 4: Computerized Practitioner Order Entry (CPOE) for use by any clinician licensed to create orders is added to the nursing and CDR environment along with the second level of clinical decision support capabilities related to evidence based medicine protocols. If one inpatient service area has implemented CPOE with physicians entering orders and completed the previous stages, then this stage has been achieved.
Stage 5: The closed loop medication administration with bar coded unit dose medications environment is fully implemented. The eMAR and bar coding or other auto identification technology, such as radio frequency identification (RFID), are implemented and integrated with CPOE and pharmacy to maximize point of care patient safety processes for medication administration. The “five rights” of medication administration are verified at the bedside with scanning of the bar code on the unit does medication and the patient ID.
Stage 6: Full physician documentation with structured templates and discrete data is implemented for at least one inpatient care service area for progress notes, consult notes, discharge summaries or problem list & diagnosis list maintenance. Level three of clinical decision support provides guidance for all clinician activities related to protocols and outcomes in the form of variance and compliance alerts. A full complement of radiology PACS systems provides medical images to physicians via an intranet and displaces all film-based images. Cardiology PACS and document imaging are scored with extra points.
Stage 7: The hospital no longer uses paper charts to deliver and manage patient care and has a mixture of discrete data, document images, and medical images within its EMR environment. Data warehousing is being used to analyze patterns of clinical data to improve quality of care and patient safety and care delivery efficiency. Clinical information can be readily shared via standardized electronic transactions (i.e. CCD) with all entities that are authorized to treat the patient, or a health information exchange (i.e., other non-associated hospitals, ambulatory clinics, subacute environments, employers, payers and patients in a data sharing environment). The hospital demonstrates summary data continuity for all hospital services (e.g. inpatient, outpatient, ED, and with any owned or managed ambulatory clinics).
Here are the current Ambulatory Stages:
HIPAA Omnibus Rule
The government created the Health Insurance Portability and Accountability Act of 1996 (HIPAA) which is governed by The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (www.hss.gov) and that website states it was established “to strengthen the privacy and security protections for health information”. Then they created the Omnibus rule which required providers to be compliant by September 23, 2013 or face consequences (some changes allow you to not be completed until September 23, 2014). The new Omnibus rule focused on three areas:
• Privacy, Security, and Breach Notification policies and procedures
You are not able to discriminate based on GINA (Genetic Information Nondiscrimination Act of 2008). This is now tied into HIPAA since genetic information is part of health information. You are not allowed to use or disclose genetic information for underwriting purposes. That leads us into the changes on your Notice of Privacy Practices. Those must be updated and include provisions that indicate:
§ The health plan will notify affected participants if a breach of unsecured PHI occurs
§ The plan may not use or disclose PHI that is genetic information for underwriting purposes, consistent with GINA
§ The plan will obtain an individual's authorization before it uses PHI for marketing purposes, sells PHI, or uses or discloses PHI for any purposes not described in this notice.
Patients have more individual rights under the new law. They are able to request copies of their health records in an electronic format (which is also a requirement of Meaningful Use Stage 2). Also individuals who pay with cash can decide whether or not to allow the provider to share information about their treatment with their health plan. You are also limited on how the information is used and disclosed for marketing and fundraising purposes. Patient health information cannot be sold without their permission. Along with this, the patient also has the ability to deny you the right to use their health information for research purposes. It does make it easier for you to share immunization data with a child's school (you have one year after September 23, 2013 to modify contracts with your business associates to comply with this rule).
• Notice of Privacy Practices (NPP)
Notice of Privacy Practice that most hospitals hand to patients and have displayed on their websites will need to have some more clarification added. Once you make these revisions (this had to be completed before September 23, 2013) you must post that changes have been made and also alert patients on the change and how they can obtain a copy of the changes.
• Business Associate (BA) Agreements
Business Associates of covered entities are directly liable for compliance with the new regulations. This now includes contractors and subcontractors since the largest majority of breaches in the past have been attributed to business associates (according to Dolbey almost 57% are from BA's). Noncompliance penalties have increased up to $1.5 million for each violation (and up to 10 years imprisonment). These penalties are now tier based with increasing penalties based on the level and severity of a violation. The term Business Associate used to mean anyone who performs or assists in the performance of a function or activity involving the use or disclosure of protected health information (PHI). Now it has expanded to include persons who create, receive, maintain, or transmit PHI in connection with performing a function or service for a covered entity, even if they do not view the PHI. If you have an existing BAA and that agreement is not renewed or amended from March 26, 2013-September 23, 2013 it is still compliant until it is renewed or amended after September 23, 2013 or before September 23, 2014 (whichever occurs earliest). You must still document any risk assessment performed, but now an impermissible acquisition, access, use or disclosure of PHI is a presumed breach that must be reported. You must report the breach or if it did not constitute a breach and document why it was not a breach. In those cases you must do a risk assessment on these factors at the minimum:
1) What was the nature and extent of the PHI involved (list the types of identifiers and the likelihood of re-identification of this information)
2) Who was the unauthorized user who accessed the data or to whom did they disclose it
3) Was the PHI acquired or viewed
4) What extent is the risk to the PHI mitigated (is it a risk of financial, reputation, or other harm)
Some important revisions that need to be included in your Business Associates Agreement (BAA) include:
For all current Business Associate Agreements that you have in place, you will need to review and determine if any of those vendors have not identified their subcontractors and ensure they have Business Associate Agreements in place. You will want to ensure this is in place so that the liability falls to them and not to your organization.
If you want to read the entire Final Rule in the Federal Register, it is located at http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf