Is HITECH Working? #7: Where’s Plan B? Congress and ONC need to address major flaws in HITECH.

by Vince Kuraitis JD, MBA and David C. Kibbe MD, MBA

Pop quiz: Among early-stage companies that are successful, what percentage are successful with the initial business model with which they started (Plan A) vs. a secondary business model (Plan B)?

Harvard Business School Professor Clay Christensen studied this issue.  He found that among successful companies, only 7% succeeded with their initial business model, while 93% evolved into a different business model.

So let’s take this finding and reexamine our human nature. In light of these statistics, what makes more sense:

  • Defending Plan A to your dying breath?
  • Assuming Plan A is probably flawed, and anticipating the need for Plan B without getting defensive?

We question many of the assumptions underlying HITECH Plan A. We also want to talk about the need and content for Plan B in a constructive way.

In this essay we’ll discuss:

1) The Need for HITECH Plan B

2) Questioning Assumptions — Issues to Reconsider in Plan B

a) Rewarding Incremental Progress
b) Addressing Root Causes for Non-adoption of EHR Technology
c) Questioning Health Information Exchanges (HIEs) as Building Blocks for the Nationwide Health Information Network (NHIN)
d) Catalyzing Movement Toward Modular EHR Technology
e) Focusing Incentives on High Leverage Physicians
f) Recalibrating Expectations for EHR Technology Adoption
g) Getting Bang-for-the-Buck in Achieving Meaningful Use Objectives
h) Comprehensively Revamping Privacy/Security Laws vs. Tweaking HIPAA
i) Maximizing Sync Between HITECH and PPACA
j) Leveraging Potential for Patient-Driven Disruptive Innovation
k) Promoting EHR Adoption Beyond Hospitals and Physicians, e.g., long-term care, home health, behavioral health, etc.
l) Dumping Certification

3) Summing Up

Is HITECH Working? #4: While most attention has been focused on demand side incentives (will doctors and hospitals buy EHRs?), the supply (vendor) side of HIT is already transforming.

by Vince Kuraitis JD, MBA and David C. Kibbe MD, MBA

Most of the press coverage and attention to HITECH has been to the “buy” side of the market:  The central question here has been: “Will doctors and hospitals buy and use EHR technology?”

Meanwhile — and much more quietly — the sell (vendor) side of the EHR market is already dramatically different than it was a year ago. We observe change occurring at at least three levels:

  1. HITECH as Policy Change
  2. HITECH as Mindset Change
  3. HITECH as Technology/Business Model Change

Privacy Law Showdown? Legal and Policy Analysis.

#2 in a series — Modifications to HIPAA Privacy Laws: Impact on Microsoft HealthVault, Google Health, and other PHRs

by Deven McGraw JD, MPH, Center for Democracy & Technology


There has been considerable discussion lately about whether or not the stimulus legislation (ARRA) extends HIPAA coverage to commercial vendors of personal health records (PHRs) any time they contract with entities already covered by HIPAA like hospitals, health plans or physicians groups.  (For those of you who don’t know, HIPAA is the Health Insurance Portability and Accountability Act of 1996.  The HIPAA privacy and security regulations form our national health privacy and security rules.)

The provision in question (Section 13408) states that “each vendor that contracts with a covered entity to allow that covered entity to offer a personal health record to patients as part of its electronic health record” is required to enter into a business associate agreement with the covered entity.   Under ARRA, business associates must comply with key provisions of the HIPAA privacy and security regulations. 

In this post, I argue that PHR vendors should be covered under HIPAA only under certain circumstances.  PHRs should be governed by a comprehensive framework of privacy and security protections, but HIPAA would provide inadequate privacy protection for people using these tools (at least as the HIPAA rules are currently structured).  As a result, I argue that this provision in ARRA should not be read to require the automatic application of HIPAA to PHR vendors any time they contract with covered entities to offer a PHR.   Instead, I suggest that HIPAA should cover a PHR vendor’s activities when the nature of the relationship between the vendor and the covered entity (hospital, health plan, physician office) primarily concerns the vendor performing a service for the covered entity. 

However, where the contractual relationship is primarily about improving the value of the PHR to the consumer, HIPAA should not apply.  (I know, not an easy line to draw – but I do suggest some factors that should influence the decision.) 

Finally, I urge the prompt adoption of separate, targeted privacy provisions to protect consumers using PHRs so that the choice is not HIPAA or limited protections under other federal laws. 

Why Not HIPAA – Isn’t it Better Than Nothing?

Table of contents for the series--Modifications to HIPAA Privacy Laws: Impact on Microsoft HealthVault, Google Health, and other PHRs

  1. Privacy Law Showdown? Setting the Stage
  2. Privacy Law Showdown? Legal and Policy Analysis.

Privacy Law Showdown? Setting the Stage

Today’s post is the first in a series entitled:

Modifications to HIPAA Privacy Laws: Impact on Microsoft HealthVault, Google Health, and other PHRs

We’ll explore how recent changes in privacy provisions of  ARRA/HITECH Federal stimulus legislation affect personal health information (PHI) platform companies (e.g., HealthVault, Google Health,  Dossia) and personal health record (PHR) companies.

Health IT expert and journalist Neil Versel described the issue in the April 7 issue of BNET Healthcare:

Although Google and Microsoft have gotten plenty of attention for their Web-based personal health records, both companies have long maintained that they’re not bound by the privacy protections of a 1996 federal law known as HIPAA. And despite a recent HIPAA change — one intended to extend its privacy provisions to services like Google Health and Microsoft’s HealthVault — both companies still insist they’re not bound by the law.

…“Our understanding is that HITECH, which is the jargon for [the health IT] part of the legislation, did not change the definition for a covered entity or a business associate, so our service is offered directly to the consumer,” Google Health Product Manager Roni Zeiger told Modern Healthcare last month. “[O]ur understanding is that we are neither a covered entity nor a business associate,” he continued. “We’re providing a service directly to the consumer or a patient.”

Microsoft offered a similar assessment at the annual Healthcare Information and Management Systems Society conference in Chicago. “We’re still outside [of HIPAA],” said David Cerino, general manager of Microsoft’s Health Solutions Group.

Not everybody agrees with Microsoft and Google. Versel commented in his own blog:

Excuse me? I’ve been struck since Day 1 with the arrogance Google seems to be exhibiting with its entry into healthcare …  it seems to me Zeiger is intimating that the law doesn’t apply to Google.

In the BNET article, Versel also quotes David Brailer, the first head of the Office of the National Coordinator for Health Information Technology at HHS:

Table of contents for the series--Modifications to HIPAA Privacy Laws: Impact on Microsoft HealthVault, Google Health, and other PHRs

  1. Privacy Law Showdown? Setting the Stage
  2. Privacy Law Showdown? Legal and Policy Analysis.

Leavitt’s Framework Shoehorns the HIPAA Privacy Rule onto Your Personal Health Information


by Vince Kuraitis and David C. Kibbe MD, MBA

Have you ever heard anyone tell a happy story of how easy it is to get a copy of their paper medical records?

Departing Health and Human Services Secretary Mike Leavitt is laying the groundwork for this same story to apply to access to YOUR electronic personal health information.

Here’s an overview to what evolved into a long posting:

  1. Analysis: The Leavitt Framework Uses the HIPAA Privacy Rule as a Baseline for Electronic Access to Personal Health Information
  2. Implication: Extending the HIPAA Privacy Rule Could Restrict Your Electronic Access to Your Personal Health Information
    • A.The HIPAA Privacy Rule Should Not Be the Baseline for Governing Access to Your Personal Health Information
    • B. Examples: Extending the HIPAA Privacy Rule Creates Barriers and Confusion
  3. Implication: Extending the HIPAA Privacy Rule Protects Incumbents at the Expense of Innovators Like Microsoft and Google
  4. Conclusion: The Leavitt Framework Creates Bad Public Policy

Picturing the PHIN as One Interoperable Network

Will the Microsoft HealthVault, Google Health, and Dossia personal health information (PHI) platforms be able to exchange data?  In our introductory essay announcing the Birth of the Personal Health Information Network (PHIN), Dr. David Kibbe and I posed a critical question:

What will the PHIN look like?  Will there be multiple, non-interoperable, competing networks or just one interoperable network?

This question is being answered with the best possible answer:  the PHIN is evolving as one, interoperable network.

Consider 3 scenarios:


  • Scenario One: Status Quo — Your Personal Health Information Today
  • Scenario Two: The PHIN — Multiple, non-interoperable platforms
  • Scenario Three: The PHIN—Multiple, interoperable platforms



In this post, I’ll present  images of these scenarios as a foundation for a series of upcoming posts.  David and I will address questions such as “What’s really different about the PHIN? What elements create the transformative potential that has attracted Internet Titans to health care?”

Let’s take a look at these one at a time:

Empowering Health IT for the Medical Home

by David C. Kibbe, MD MBA

The basic premise of the medical home concept is continuous, uninterrupted care that is managed and coordinated by a personal provider with the right tools that will lead to better health outcomes.

In 2007, the American Academy of Family Physicians, American Academy of Pediatrics, American College of Physicians, and American Osteopathic Association, released the Joint Principles of the Patient-Centered Medical Home. In this document they state the characteristics of the Patient Centered Medical Home:

  • Personal Relationship
  • Team Approach
  • Comprehensive
  • Coordination
  • Quality and Safety
  • Expanded Access
  • Added Value

While these characteristics, in theory, may be achieved without the use of health information technology (health IT), it is also true that their realization is more likely to occur if health IT is successfully deployed. Health IT can be an empowering facilitator to the establishment of a medical home, a fact supported by experience.
What is not obvious are the best ways in which health IT should be deployed to reach the objectives of the medical home desired by patients, providers, and payers. Nor is it clear that "one size fits all" when trying to match health IT products and services with the desired characteristics, and to do so in a manner that is affordable and sustainable across a variety of practice types, large and small.

Rather than attempt to list products or suppliers of health IT, e.g. electronic medical records, EMRs, as single "solutions" to the problem of transforming practices into medical homes, we suggest here that a wiser approach is to describe the capabilities that health IT ought to provide or enhance if a medical practice is to become a successful medical home. This approach has the advantage of being vendor-neutral, allowing for innovation, variation and choice in reaching the goal of the agreed upon medical home principles and characteristics listed above.

The list below of Empowering Health IT for the Medical Home is not intended to be complete or exclusive. Over time it may expand or be modified according to the evolution of both the concept of the medical home and the technologies themselves. This flexibility is necessary in a time of constant change. However, we believe this is a reasonable description of the health IT that will empower medical practices to become medical homes in the near future.

We define Empowering Health IT for the Medical Home as computer hardware, software, and related technology that provides or enhances:

From PHRs to PHRSs

Personal health records (PHRs) are evolving toward becoming Personal Health Record Systems (PHRSs).

…that’s my key takeaway from attending the Robert Wood Johnson Foundation (RWJF) Project Health Design (PHD) conference in Washington D.C. on September 17. The conference was entitled  A ‘Report Out’ from Project HealthDesign and Forum on Next-Generation PHRs .

A PHD Fact Sheet capsulizes the evolution from PHRs to PHRSs:

Heartburn Relief: UnitedHealth Joining Google Health and MSFT HealthVault?

From the August 6 edition of HISTalk — Healthcare IT News and Opinion:

"Re: UHG. Was at the Healthcare Quality Conference yesterday in Boston. Got to talking to a United Health exec who informed me that they have signed an agreement with Google Health and have a pending agreement with HealthVault. This backs up UHG’s previous statement that member records would be made portable. Individual made mention that the Google Health relationship extends beyond just claims records transfer and includes a technology partnership regarding UHG’s OMX."

Commentary: Among health care incumbents, health plans are experiencing the greatest heartburn over the emerging Personal Health Information Network (PHIN).

On the one hand, existing health plan IT and business models have been proprietary and closed. Here’s how a typical health plan might state their POV: