Archive for the ‘Privacy & Security Solutions’ Category

Meaningful Use criteria and Healthcare IT Infrastructure

This is another excerpt from my class on Healthcare IT Infrastructure. Analyzing the Final Rule for Meaningful Use of Healthcare IT for implications of Infrastructure:

Healthcare IT is currently undergoing an unprecedented rebuilding process. The paper chart used in the past, and the EMR that replaced it, were focused on recording episodes of care for one provider with one patient. Each episode of care contains Problems (usually the reason someone uses medical care), Medications, Allergies, Lab-Tests and other notes, usually organized in a hierarchical data model.

The government provides with ARRA/HITECH incentives to reshape the EMR into an EHR, which includes interoperability – meaning that data needs to be exchanged with other care providers, payers, and public health agencies. This has massive implications on the IT infrastructure of providers, because now clinical data (not only claims data) needs to be submitted securely with other providers, and even electronic access by patients is required.

Healthcare IT managers have to rebuild infrastructure right now in unprecedented scale and complexity, all while having to adhere to extended HIPAA Privacy and Security rules.

Here is a comprehensive overview of Objectives and Measures for Meaningful Use for Eligible Providers (EP) based on the Final Rule published in July 2010[1]:


Objective Measure Infrastructure
1.     CPOE: Use computerized provider order entry (CPOE) for medication orders directly entered by any licensed healthcare professional who can enter orders into the medical record per state, local and professional guidelines. … more than 30 percent of all unique patients with at least one medication in their medication list seen by the EP have at least one medication order entered using CPOE. Data entry at the point of care (mobile access); EMR with CPOE capability;
2.     Implement drug-drug and drug-allergy interaction checks. The EP has enabled this functionality for the entire EHR reporting period. Use of medication information source such as FDB or Medispan with online updates
3.     Maintain an up-to-date problem list of current and active diagnoses. More than 80 percent of all unique patients seen by the EP have at least one entry or an indication that no problems are known for the patient recorded as structured data. Create CCD (structured XML) record with coded problems (ICD9/ICD10), HITSP C32
4.     Generate and transmit permissible prescriptions electronically (eRx). more than 40 percent of all permissible prescriptions written by the EP are transmitted electronically using certified EHR technology. Connectivity with RxHub and coded medications
5.     Maintain active medication list. More than 80 percent of all unique patients seen by the EP have at least one entry (or an indication that the patient is not currently prescribed any medication) recorded as structured data. Create CCD with Problems, Meds & Allergies
6.     Maintain active medication allergy list.
7.     Record all of the following demographics:

(A) Preferred language.

(B) Gender.

(C) Race.

(D) Ethnicity.

(E) Date of birth.

More than 50 percent of all unique patients seen by the EP have demographics recorded as structured data. Part of CCD
8.     Record and chart changes in the following vital signs:

(A) Height.

(B) Weight.

(C) Blood pressure.

(D) Calculate and display body mass index (BMI).

(E) Plot and display growth charts for children 2 – 20 years, including BMI.

… more than 50 percent of all unique patients age 2 and over seen by the EP, height, weight and blood pressure are recorded as structured data. EMR/EHR functionality.
9.     Record smoking status for patients 13 years old or older. …. more than 50 percent of all unique patients 13 years old or older seen by the EP have smoking status recorded as structured data. EMR/EHR functionality
10.  Report ambulatory clinical quality measures to CMS or, in the case of Medicaid EPs, the States. …successfully report to CMS (or, in the case of Medicaid EPs, the States) ambulatory clinical quality measures selected by CMS in the manner specified by CMS (or in the case of Medicaid EPs, the States). Requires in many cases that data is off-loaded to RDBMS for processing and reporting
11.  Implement one clinical decision support rules relevant to specialty or high clinical priority along with the ability to track compliance with that rule. Implement one clinical decision support rule. EMR/EHR functionality which requires data entry at the point of care
12.  Provide patients with an electronic copy of their health information (including diagnostics test results, problem list, medication lists, medication allergies) upon request. … more than 50 percent of all patients who request an electronic copy of their health information are provided it within 3 business days. Requires patient portal with secure access to structured data and export, usually as CCR
13.  Provide clinical summaries for patients for each office visit. …clinical summaries provided to patients for more than 50 percent of all office visits within 3 business days. EMR functionality
14.  Capability to exchange key clinical information (for example, problem list, medication list, allergies, and diagnostic test results), among providers of care and patient authorized entities electronically. Performed at least one test of certified EHR technology’s capacity to electronically exchange key clinical information. Requires ability to store structured data in a CCD/CCR (CDA2, XML) and web services for patient identity (PIX/PDQ), Provide and Register, and retrieve document sets.
15.  Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities. Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process. Implement technical, physical, and administrative safeguards.


More details are in the text of law (42 CFR, see above) or here:

Let me highlight a few infrastructure consequences of the Meaningful Use (MU) guidelines:

  • Data has to be captured in structured format. Structured means (a) not paper and (b) not in a text document, but essentially in a CCD or CCR. CCD and CCR are based on HL7 CDA2, which itself uses XML for a hierarchical, structured continuity of care record/document in structured format (Dolin et al, 2006). For MU, a specific derivative has been specified and standardized as HITSP/NIST C32,  ( As a consequence, all EMR vendors have to update their software to add these features to their software, so their clients can meet MU. That also meets that hundred thousands of providers have to undergo major software release upgrades, or implement electronic medical records for the first time.
  • Section 10 (Quality Reporting) means that Providers need to be able to generate reports across their patient population for epidemiological purposes and report data. Traditional MUMPS databases struggle with reporting across the branches of their tree, but newer versions like Cache either provide SQL interfaces, or provide ETL tools to download into a Datawarehouse (DWH) for reporting purposes. This is of course troublesome for a single provider.
  • Section 12 (Patient Portal) requires Patient access to electronic health information. This is difficult for providers with traditional stand-alone EMR systems, but many SaaS style EMR offerings have emerged, providing Personal Health Record (PHR) access along with the EHR.
  • Section 14 (Health Information Exchange) requires the capability to exchange clinical data with others Providers. HL7 messages are insufficient for this, because traditional HL7 messages have document types for unstructured data (HL7 MDM). For the exchange of structured documents like CCD or CCR, it is necessary to build a web services infrastructure such as IHE ITI XDS.b ( ).
  • Section 15 (Data Security) re-emphasizes that all this needs to happen under the HIPAA framework.  45 CFR 164.308(a)(1), which is referred to in section 15, is of course the HIPAA Privacy and Security rule ( This constitutes a challenge in combination with all the other requirements, because the cross provider access allows providers from outside the organization to access documents, but still requires maintaining access controls and auditing in accordance with the law. As we discovered since 1996, it was already difficult to achieve compliance within a single organization – now this compliance needs to be extended to Health Information Exchanges.

Dolin, R., Alschuler, I., Boyer, S., Beebe, C., Behlen, F., Biron, P., et al. (2006). HL7 clinical document architecture, release 2. Journal of the American Medical Informatics Association, 13(1), 30.

[1] United States Department of Health and Human Services, Centers for Medicare & Medicaid Services, 42 CFR Parts 412, 413, 422 et al., Medicare and Medicaid Programs; Electronic Health Record Incentive Program; Final Rule, online at