Working Toward Uniform State Regs

AHIMA CEO Laments 'Confusing' Privacy, Security Requirements
Working Toward Uniform State Regs
The lack of uniformity in federal and state privacy and security requirements is creating major challenges for health information managers attempting to comply, says Lynne Thomas Gordon, the new CEO of the American Health Information Management Association.

"It's confusing, contradictory and it's expensive for entities and consumers to understand and work with such a situation," Thomas Gordon says.

AHIMA plans to work with various states next year to move toward more uniform privacy and security requirements that are in synch with federal requirements, the CEO explains.

Thomas Gordon says delays in the release of the final versions of HIPAA modifications and the HIPAA breach notification rule also are causing headaches for AHIMA members. "The impact of the delay is most severe when it comes to implementing all the technical and policy changes related to information exchange and implementation of EHR systems and practices," she says in an interview with HealthcareInfoSecurity's Howard Anderson (transcript below).

AHIMA members, who include health information managers involved in automating records, are particularly concerned that IT vendors will not be able to provide timely compliance assistance if the pending rules "create a significant requirement for systems changes that overlap or conflict with the [HITECH Act electronic health record incentive program's] meaningful use requirements," Thomas Gordon says.

In the interview, AHIMA's new CEO also:

  • Says she doesn't expect the resignation of Donald Berwick, M.D., as head of the Centers for Medicare and Medicaid Services will result in any significant shifts in policies.
  • Expresses hope that Congress will not cut funding for the HITECH Act's electronic health record incentive program next year. "Healthcare entities are making decisions on the basis of the HITECH program," she notes. "To reverse funding at this point could damage the healthcare system further ..."

Thomas Gordon, MBA, RHIA, FACHE, became AHIMA's chief executive officer on Sept. 29. A veteran healthcare executive, her experience also includes academia and a wide spectrum of association involvement. She formerly was associate vice president for hospital operations and director of the Children's Hospital at Rush University Medical Center in Chicago.

AHIMA's Mission

HOWARD ANDERSON: For starters, why don't you briefly describe AHIMA, its mission and its members for us?

LYNNE THOMAS GORDON: AHIMA's members are educated and certified to work with health information across the spectrum of healthcare providers and health plans, collecting, storing, analyzing and reporting to improve the quality of healthcare while also protecting the health information from unauthorized access. As such, health information professionals are at the forefront of implementation of electronic health record systems and electronic exchange, and are deeply concerned about health information, integrity and confidentiality. We say that AHIMA leads to help informatics and information management communities to advance professional and practicing standards.

ANDERSON: Tell us a little bit about your background and why you decided to take on this leadership role.

THOMAS GORDON: I feel that I have been groomed for this moment in time my entire career. I started out as an entry-level utilization review coordinator, moved into an assistant director role and then a director role. I then went back and got my MBA and continued to move up in hospital administration. I actually decided to take on this leadership role after I read the job specs and said, "Wow, I think I could really make a difference."

The second thing is I feel that this is just such an exciting time to be in health information management with all the changes happening in our environment.

Privacy, Security Challenges

ANDERSON: What do you see as the biggest healthcare information privacy and security challenges that AHIMA's members now face? And how can the association help its members tackle those issues?

THOMAS GORDON: I think the biggest challenge continues to be the lack of uniformity and the myriad of privacy and security requirements. All of our entities are facing this from the states and the federal government. It's confusing, contradictory and it's expensive for entities and consumers to understand and work with such a situation.

AHIMA is continuing to educate both our members and consumers via our myPHR.com website on these issues and requirements. In 2012, AHIMA plans not only to address and educate on the HITECH/HIPAA changes that should be forthcoming, but we also want to work with state HIM associations and to work at the local level for uniformity. AHIMA will, of course, also continue its work with the Department of Health and Human Services' Office for Civil Rights, the Office of the National Coordinator for Health Information Technology and the various advisory committees on those privacy and security issues.

HIPAA, HITECH Delays

ANDERSON: How is the long delay in the release of the final versions of the HIPAA modifications mandated by the HITECH Act, as well as the final HIPAA breach notification rule, affecting your members? And what advice would you give members on how they should be preparing to comply with these final rules once they eventually come out?

THOMAS GORDON: As noted, AHIMA continues to address the various regulations and issues. The impact of the delay is most severe when it comes to implementing all the technical and policy changes related to information exchange and implementation of EHR systems and practices in an entity. We have continued to educate members on the need to be in full compliance with the HIPAA rules as they stand today, and we have pointed out to members and industry leaders alike the potential conflicts and the timing of implementation, as well as the limited availability of vendor assistance, if the revised rules create a significant requirement for system changes that overlap or conflict with the meaningful use [HITECH Act EHR incentive program] requirements. We would hope that OCR, ONC and CMS [Centers for Medicare & Medicaid Services] are working with each other to make the requirements and timetable for implementation work with all the current requirements facing healthcare entities.

EHR Incentives

ANDERSON: Do you anticipate that a majority of the organizations where your members work eventually will apply for HITECH Act incentive payments for using electronic health records? And what advice would you have for those organizations that are implementing their very first EHRs, or expanding their use of electronic records, about how to protect them?

THOMAS GORDON: AHIMA members work across the industry in organizations of various sizes and needs. While our members are working with the systems and the very necessary process of ensuring that systems fit the particular workflow of their employer, the decision to apply for the meaningful use incentive payment goes beyond the management of health information, and we have not actually taken a poll of our members on that. We have kept our members up-to-date with all that's happening in the incentive program, and certainly hope that qualified organizations will apply.

In the meantime, we have also worked with a number of entities, especially in the long-term, post-acute and behavioral healthcare settings, to seek congressional support so they can also qualify for incentive payments. We have also worked with our state associations, as well as our members, to support those assisting physicians and other small practices with implementation. Our RHIT, registered health information technician, and RHIA, registered health information administrator, graduates actually have the training and education to greatly assist in implementation, and that education extends to standards and security, as well as ensuring systems fit the practices and workflow of an organization.

My advice to entities putting in their first system would be to fully engage their HIM professionals, and if they have none of those people on staff, engage an HIM professional to assist them either on a full-time or part-time basis. As you know, the implementation is much more than putting in a computer and involves not only the workforce but also understanding the meaningful use requirements, quality reporting requirements ... and other requirements. ...

Donald Berwick's Resignation

ANDERSON: Shifting to another subject, Donald Berwick has stepped down as head of the Centers for Medicare and Medicaid services, replaced on an interim basis by Marilyn Tavenner. What's your perception of the impact that change might have on healthcare privacy and security issues, or the overall electronic health record incentive program under the HITECH Act?

THOMAS GORDON: We are sorry to see Dr. Berwick go, but Ms. Tavenner has been working with him and we do not expect to see any significant shifts as a result of this change. As far as privacy and security goes, it remains important that CMS work closely with OCR and ONC to ensure that we have harmonized and uniform requirements and certification standards, as well as a timetable to allow for compliance with requirements that will protect the confidentiality of health information while also promoting advancement in population health, quality and patient safety.

ANDERSON: Finally, do you think any HITECH Act funding for electronic health records and health information exchanges might be in jeopardy as a result of efforts to cut the federal budget next year, and what would you say to those who advocate cutting the funding?

THOMAS GORDON: It's difficult to predict what Congress will do, and obviously we will continue to promote the advancement of uniform electronic health records with Congress on the basis that a uniform interoperable system in the U.S. will improve health and efficiencies and therefore lower the cost of healthcare for everyone. Healthcare entities are making decisions on the basis of the HITECH program, and to reverse funding at this point could damage the healthcare system further. Healthcare exchange is a different issue that needs to be resolved by the industry and government, both on the federal and state levels.


About the Author

Jeffrey Roman

Jeffrey Roman

News Writer, ISMG

Roman is the former News Writer for Information Security Media Group. Having worked for multiple publications at The College of New Jersey, including the College's newspaper "The Signal" and alumni magazine, Roman has experience in journalism, copy editing and communications.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.