Why Us?

We know the law and we know the web.

We help companies safely and securely do business on the web.

Looking for best of breed HITECH / HIPAA compliance tracking software?

HITECH/HIPAA and Meaningful Use: Part II

EHR & HITECH/HIPAA: Mother of Wicked Problems: Overview.

We will explore the following diagram, which describes system components related to challenges faced by the healthcare industry regarding EHR & HITECH/HIPAA compliance implementations:


Each component of the diagram will be "exploded," counterclockwise starting with key concepts. Once you understand the complexity, we will indicate a way forward using meaningful use as an organizing principle, both for an EHR implementation and for HITECH/HIPAA compliance, since meaningful use encompasses both.

Note: the box in the middle labeled NS-->GS-->FC represents the compliance continuum (i.e. moving from no story ("NS), to a good story ("GS"), and subsequently to full compliance ("FC")).

To get a preview of where we end up, refer to the diagram below:


The organizing principle is around meaningful use because only by engaging in meaningful use of certified EHR technology will providers and facilities get paid under the HITECH Act (i.e. assuming you choose to participate). In the August Issue of the newsletter we covered the major compliance implications of HITECH's Subtitle D-Privacy. In this issue we elected to climb the latter of abstraction and take a big picture view of best practices and methodologies that providers and facilities may benefit from once they consider the scope and the magnitude of the challenge that lies ahead.


In short, this issue of the newsletter looks at the convergence of policy, law and technology from a holistic perspective and introduces concepts that have proven effective in other industries when confronted with analogous "wicked problems." You can be sure that the September issue will get back to the HITECH Act and the corresponding regulations in a much more granular level of detail; including HHS' recently promulgated Interim Final Rule on Breach Notification. Here, we thought it was important to introduce some foundational considerations before "the implementation cement" is poured.

Just to be clear, when we refer to meaningful use as a "wicked problem" we are using the word wicked to mean hard or difficult, as opposed to evil. Although, at the end of the day some of our readers may indeed come to the conclusion that meaningful use is evil. We decline to make either moral or political judgments; like the show Dragnet "we are interested in just the facts ma'am." We realize that younger readers will have no idea what Dragnet is and to them we say that Google is a wonderful thing.

The diagrams that follow are not intended to be exhaustive. Rather, they represent captured conversations we had during several internal brain storming sessions. The scope of the problem set that the healthcare industry is facing with respect to HITECH/HIPAA compliance and EHR implementations is broad and deep. The goal here is to help "jumpstart" the conversation within your respective organizations. The key takeaway is that a "systems" approach is required for an effective implementatiom of a robust compliance strategy and for effective use of an EHR product. Auditors will want to discuss how your combined systems produce the end state objective of meaningful use.

Component 1: Key Concepts

The key takeaway from the diagram below is the concept of agility. The need for agility is clearly recognized but how to actually deliver on the promise is an altogether different matter. It will certainly require a change in healthcare culture (it always does). In an industry as steeped in tradition as healthcare, changing the culture will be a daunting challenge. As Lou Gerstner, who took over IBM after its near death experience, has famously stated:

If I could have chosen not to tackle the IBM culture head-on, I probably wouldn’t have. My bias coming in was toward strategy, analysis and measurement. In comparison, changing the attitude and behaviors of hundreds of thousands of people is very, very hard. [Yet] I came to see in my time at IBM that culture isn’t just one aspect of the game—it is the game.


It is our experience that even small providers and facilities will experience a form of culture shock given the magnitude of these changes (i.e. both to the regulatory scheme and to the enabling technologies that underpin it). In order to cope with this much change, different methodologies are required. Agile methodologies now dominate Web 2.0 / 3.0 software development, but they did not originate there. This methodological approach is well suited for solving problems that are messy and undefined (i.e. most of the hard problems that we now face as a society and certainly the challenges faced by the healthcare industry).

From our perspective, the importance of agile is not related to a particular methodology BUT rather to the philosophy that underpins it. Again to paraphrase Tom Peters: "you only find oil if you dig wells, wicked problems can only be solved by "failing fast." Fast enough to really understand the problem and then make the necessary corrections. This applies conceptually to both compliance and to an EHR implementation.

That said, the counterintutive concept of "failing fast" (i.e. as the most effective way to ensure success) is arguably anathema to both lawyers and healthcare professionals--therein lies the crux of the problem.

Component 2 : Stakeholders

There are a significant number of stakeholders that must participate in both in an EHR implementation and in getting everyone on board with a HITECH/HIPAA compliance strategy. The game has changed too radically to simply turn either one of these efforts over to your IT group, or to the compliance and/or legal staff. Too much is at stake. This is now a boardroom issue. Only time will tell which boards and management teams recognize that this paper tiger is now an electronic beast.


The board and the senior management team are the ones that must recognize that the organization will need a considerable amount of help if they are going to succeed. In order to meet this challenge they need to quickly jettison a "not invented here" predisposition and bring to bear the best available talent, both within and outside the organization. This applies to facilities and providers of all sizes, with the biggest difference being one of degree and not kind. A comprehensive EHR/compliance implementation will permeate the entire organization. The board and executive management team are best positioned to change the culture in a manner that fits the new reality.

Component 3: Methodology

There are three principal components that must be considered when implementing any systems based solution: 1) people; 2) process; and 3) platform (i.e. the technology itself). Of the three, it turns out that the people and process components are always, by far, the most difficult. It is almost impossible today to implement a robust compliance strategy without the use of enabling technologies. Obviously, an EHR implementation is technology centric by definition.

Why do you need a system (i.e. in addition to technology) to implement your compliance strategy? Because it will not be sufficient to avoid a finding of willful neglect if you just "dust off" and update your old compliance manual. Those days are over. There is a new sheriff in town. A provider or facility will need to show "demonstrable evidence" that they are in compliance. In short, you will have to track and record your compliance efforts and overall initiative. The only way to do that effectively is through a systemic approach.

Fortunately, there are now inexpensive enabling technologies and "lightweight processes" that will allow even the smallest providers to implement the necessary systems, but only if you are receptive to the "out of the box" thinking required to make this leap.

So, if you want to jump the curve from the old healthcare delivery system to the new one, all three system components must be addressed, but especially the people and process components.


All to often the people and process components are neglected, and as it turns out, these are the most mission critical components to get right when solving a wicked problem. In short, all providers and facilities must be more than just a little suspicious of any partner that focuses exclusively (or even to a large degree) on a technology centric solution. This is "snake oil" of the worst kind and is almost always guaranteed to fail. The problem is far too complicated (i.e. socially, politically and organizationally) for a technology centric solution to deliver on the promised results, however seductive it may appear.

Consider the diagram below and it should be clear that there are many more pieces to this puzzle than what is encompassed by "raw technology."


Component 4: Planning & Execution

The graphic below illustrates an iterative non-linear implementation cycle. There is nothing especially profound regarding how the individual "steps" are labeled (although in this case they are meant to be more representative of a HITECH/HIPAA compliance life cycle) but rather the important point to understand is that it does NOT represent a linear methodology. Let me be clear on this point, your compliance system will be implemented iteratively over time. There is no one-time "big bang" event/project that will take your organization from "no compliance story" to "full compliance." That is why creating a culture of compliance is paramount.


Here is some additional (non-linear) wisdom on "prototyping and iterating" from Tom Peters. Some of the money quotes (that Tom borrowed) are as follows:

"Experiment Fearlessly"
"Innovation = Reaction to the Prototype"
"Reward Excellent Failures and Punish Mediocre Successes"
"Effective Prototyping may be the Most Effective Core Competence"
"We Act from Day One While Others Plan How to Plan for Months"

As counter intuitive as this may sound, you will be prototyping your compliance implementation in addition to your EHR implementation. Recently a healthcare professional (a fan of Tom Peters) stated: "the healthcare industry is not ready for Tom Peters." The point is that it better get ready; not because Tom has all the answers (no one does), but rather because Tom Peters is a thought leader regarding how innovative organizations find the "right" answers.

The thinking that he and others have developed around "agility" are profound lessons that many in the healthcare industry have yet to assimilate. The continued use of linear methodologies will lead to more EHR disasters.

As Component 3  suggests, most of the complexity surrounding HITECH/HIPAA compliance, and an EHR implementation, lies in "messy" people/process issues. In order to discover just how "wicked" these issues are, an agile methodology and "systems thinking" is an absolute requirement.

Moving from "No Story" to a "Good Story" Revisited

HITECH/HIPAA compliance is not a one-time event but a process. The same holds true for implementing an EHR system. In order for a provider or facility to reach their objective they will need to work on the people, process and platform components simultaneously; all three are required to move from "no EHR/Compliance Story" to a "Good EHR/Compliance Story."


However, more is required than just a philosophy. Providers and facilities need methods that will work in the trenches, and traditional waterfall methodologies are not going to cut it. So what will? There is no cookbook answer to this question that applies to all organizations. That said, if the industry is ever going to get to Health 2.0, (whatever that turns out to be) including meeting all of HHS's meaningful use requirements, then some sort of agile process the encompasses systems thinking will need to be adopted. The graphic below is an example.


As previously mentioned, what you label the discrete "steps" is not nearly as important as adopting an iterative methodology. There is simply no silver bullet magic solution to this problem. Anyone that thinks there is has been drinking the "kool aid" and/or listening to way too many sales pitches. We are strong believers that enabling technologies will be play a critical role in improving the U.S. healthcare system, but we also feel strongly that it is important to be honest and realistic about the challenges that lie ahead.

We are looking at a global digital inflection point likely larger in scope than the one that occurred as we moved from an agricultural economy to the industrial revolution. The healthcare industry will feel the impact more than most: 1) because of its enormous complexity; and 2) because it lags in its adoption of "health information" technologies. It will be an interesting and exciting journey, and ultimately we believe, "transformative" and productive. BUT it is not going be easy, in fact quite the opposite. This much change will be painful for many healthcare organizations, professionals and other stakeholders.

Component 5: Governance

The governance issues related to HITECH/HIPAA compliance were discussed in this post Governance Under HITECH/HIPAA: Two Types of Risk? A recent study found that 69% of the cost of a data breach is due to loss of business (see HHS' Interim Final Rule on Breach Notification cost section).

By far, the business risks associated with non-compliance will completely overshadow the compliance risks, despite the fact that the HITECH Act has completely transformed the latter from a paper tiger into an electronic beast.

VennDiagram-HITECH-HIPAA-MUThe fact of the matter is that effective delivery of competitively priced, high quality care, will require a convergence of a healthcare delivery strategy, an information technology strategy, and a systemic compliance strategy. In short, it will require a dramatically altered healthcare delivery value proposition. Treating any one of these components as a separate silo will lead to sub-optimization and likely to an overall failed approach. Board members and executive teams have no alternative but to engage. How this new value proposition is governed is likely to separate the winners and losers.

Component 6: Resources

This component focuses on resource utilization and stresses the importance of leveraging what is available. There are a significant number of high quality resources now available on the Internet. Some of the best information is starting to come from the Federal agencies themselves. HHS, in particular, has done an outstanding job of providing high quality content related to HIPAA compliance.

The HHS Health Information Privacy portal is the place you should start If you are looking for regulatory information regarding HIPAA's Privacy Rule. The HHS Security Standard portal is the place you should start If you are looking for regulatory information regarding HIPAA's Security Rule.

Of special note in the HHS Security Standard portal is a link to the HIPAA Security Educational Paper Series.This series is "must reading" for all organizational stakeholders; not just IT, compliance, or legal staff.


A more expansive list of industry related sites can be found on the HIPAA Survival Guide's (HSG) resources page here. In future releases of the guide, additional reference information will be made available and categorized by a "to be developed" taxonomy. The problem now is NOT the availability of high quality content but rather that there is too much of it, and therefore raw search technology only goes so far in addressing the "needle in the haystack" problem. The intent of HSG's resource page(s) is to provide enough reference links on a given topic to get the reader pointed in the right direction.

Recently, the full text of the HITECH Act was added to HSG online. You can now point and click to a relevant section of the statute and thereby read the primary authority as it is written, as opposed to relying on someone else's interpretation.

The next release of the HSG online version will also contain not only our paraphrased interpretation of the HIPAA Privacy and Security Rules, but the full text as well. In every place that a section of the Rules refers to another section (which happens often) you will be able to easily navigate to the referenced section.

In short, while the content available on the Internet is not a panacea, it is certainly a good idea to leverage what is out there.

Component 7: Partners

Most providers and facilities will find it extremely difficult to meet their EHR/compliance objectives without an effective partnering strategy. Why? For all the reasons that we have discussed during this issue of the newsletter. There is simply far too much complexity for any one organization to go it alone. That said, there are some partners listed below that might not be considered "traditional."

Developing an effective partnering strategy involves, at its core, establishing a set of trusted relationships. It might surprise you that regulators can be effective partners. How so? If you engage them early in the process and build rapport with them, then many are willing to point you to available resources that might help simplify certain tasks. That's not to say that a regulator won't be rigorous in his/her enforcement, but rather it is simply human nature to lend more assistance to people we know and trust.

Likewise, trusted colleagues within the industry can be great partners. By and large, providers and facilities of similar sizes, will be solving analogous problems. There is much to gain from sharing lessons learned early in the process. Unfortunately, annual conferences do not occur often enough for this type of sharing to be effective vis-a-vis aggressive implementation deadlines. However, virtual tools are now mature enough that travel is not required. Learn to use these tools to your advantage and build collaborative relationships with peers in the industry.


It is often difficult to discuss partnering concepts without sounding "pollyannaish." Who needs it? We all do. Our professional lives have become far too complex. Lastly, building effective partnerships is not "kids' stuff," its hard work. Get busy.

Component 8: Meaningful Use

Finally, we arrive at the point of synthesis. If you are considering implementing an EHR and have already started thinking about HITECH/HIPAA compliance, then this is the beginning of the process for you. This entire list of system components can be considered a "hit list" of things to reflect upon during an implementation project.

That said, the entire list converges on meaningful use, the final component of our diagram below, and we recommend that you seriously consider selecting meaningful use as your organizing principle. Why? Well, we believe there are many reasons for doing so, but these three are at the top of that list:

  1. In order to get paid under the HITECH Act you must demonstrate: Meaningful Use of Certified EHR Technology.
  2. The five policy priorities listed in the diagram below are directly from HHS' meaningful use matrix. The objectives and care goals (i.e. within HHS' meaningful use definition) for 2011, 2013 and 2015 are all categorized under a specific policy priority.
  3. Why reinvent the wheel? Many (if not all) of the meaningful use requirements represent the thinking of healthcare's "best and brightest" over the past twenty years. These requirements should already be action items for providers and facilities that want to compete fiercely in the 21st century.


Practical Advice for Getting Started

Now that you had an opportunity to consider the complexity of the projects you are embarked upon, we will transition the discussion to the practicalities of actually getting started. At this point it is quite understandable to feel more than a little overwhelmed. That will lead many to a long planning cycle and the use of a linear methodology. Long planning cycles are a "natural" reaction to analysis/paralysis. Why?
  1. You realize that you need to get started;
  2. You also realize that you do not understand the problem well enough to act immediately; and
  3. It is human nature to delay acting for any number of reasons, including fear that "we might not get it right" given the enormous challenge.

The only way to understand a wicked problem is to begin trying to solve it. That doesn't mean that you buy the first EHR package you become enamored of, or hire the first consultant or lawyer that walks in the door. An agile methodology does not dispense with planning, it simply means that you plan and act, plan and act, plan and act, across a number of iterations (and concurrent projects) until you understand the problem(s) well enough to come up with a reasonable solution/approach. Notice that we did not say the best solution/approach. There is no best solution. There is simply a subset of solutions that will work better for your organization than others.

Next Month's Featured Article: How to Build a Good Compliance Story (continued): Part III of the Series HITECH/HIPAA and Meaningful Use

Your principal task is to quickly find a small viable subset of solutions and then choose among them. That is the general approach. This approach can be applied to each of the system components (e.g. getting the required stakeholders involved, identifying critical resources, selecting partners, etc.) where appropriate.

The October issue of the newsletter will provide more specifics around this central theme, and will re-focus the discussion on the HITECH Act and HHS' newly issued regulations, which collectively amount to game changers.
The October issue will also contain an article by guest author, Deborah Leyva, RN, BSN: "Using an Internet Presence to Engage Patients and Families: the Value of the Internet in Healthcare." Engaging patients and families is one of HHS' top five policy priorities in its proposed meaningful use definition. Again, all 2011 meaningful use priorities and objectives must be met if you want to get paid your EHR incentives.


Looking for a Little Inspiration?

The video 212 Degrees definitely works for us and so we thought we would share. We are not in anyway affiliated with this website, you can simply skip the ad at the end, or share it with friends as you see fit. The money quote, based on this month's newsletter theme, comes from Walter Elliot:

Perseverance is not a long race, it is many short races run one after another.

Also, if you have not yet seen the Health 2.0 video, this one is incredibly well done and entertaining.

Contact us today