How Does the Paperwork Reduction Act Influence Federal HIT Action?

AHRQ / OMB Request

Efforts to develop consensus and seek public input are costly and time-consuming. Some data on one ambitious program has this summer been presented and the results of the ongoing analysis may do much to help states understand the time and effort required to advance health care agenda more broadly.

In the Wednesday, June 7 Federal Register (v. 71, n. 109, p 32964) AHRQ requested the OMB for information collection as part of an AHRQ contract for "Privacy and Security Solutions for Interoperable Electronic Health Information Exchange"). The Document states that the process would involve 12,759 stakeholders each taking three hours for a total burden of 38,250 hours.

Comments on the AHRQ information collection were requested with regard to any of the following:

• Whether the proposed collection of information is necessary for the proper performance of functions of AHRQ, including whether the information will have practical utility
• the accuracy of the AHRQ's estimate of burden (including hours and cost) ofthe proposed collection of information; and
• ways to enhance the quality, utility and clarity of the information to be collected; and
• ways to minimize the burden of the collection of information upon the respondents, including the use of automated collection techniques of other forms of information technology.

• Follow this link for the AHRQ RFP
• Follow this link for the request for review
• Dr. Carolyn Clancey's broader testimony to a senate subcommittee. June 21, 2006
• What is Earned Value Management? Section 300.4 of OMB Circular A-11
• Capital Programming Guide Supplement to Part 7 of Circular A-11 (PDF Version)
• DoD Earned Value Management Web Resource
• November 14, 2001 Memo from OMB concerning compliance with the Paperwork Reduction Act

The answers to these questions will have implications for all state efforts to effect change and may cause additional review into the ways to improve the federal contracting process.

Quoting from the RFP:

The purpose of this contract is to:

1. assess variations in organization-level business policies and state laws that affect health information exchange;
2. identify and propose practical solutions, while preserving the privacy and security requirements in applicable Federal and state laws and
3. develop detailed plans to implement solutions. HHS encourages the Contractor to coordinate through subcontracts with approximately 40 states or territorial governments or its duly recognized entity, as directly teaming in this manner is a critical element to the successful completion of this contract within the prescribed timeframe.

The Contractor shall also work collaboratively with other HHS health IT contractors working on the development and evaluation of NHIN architecture prototypes and appropriate stakeholders from the Department of Health and Human Services (HHS), Department of Veterans Affairs (VA), Department of Defense (DoD), Department of Commerce (DoC), Department of Homeland Security (DHS), Environmental Protection Agency (EPA), National Science Foundation (NSF) and General Services Administration (GSA). The contractors shall meet and collaborate because there are tasks within each contract that are interdependent and require a coordinated and systematic approach.

The Contractor must also:

Convene as necessary a statewide or regional workshop to finalize and reach consensus on the assessment and potential solutions. Statewide meetings shall include, but not be limited to, the following stakeholders: clinicians, physician groups (primary and specialty care) and other providers, Federal health facilities (i.e., Department of Defense, Indian Health Service, Department of Veterans Affairs), hospitals, payers, public health agencies, community clinics and health centers, laboratories, pharmacies, long term care facilities and nursing homes, homecare and hospice, correctional facilities, professional associations and societies, medical and public health schools that undertake research, quality improvement organizations, consumers or consumer organizations and state government (Medicaid, public health departments, etc.). The Contractor, including any subcontractors, shall be responsible for securing the meeting facility, identifying and inviting participants, establishing the agenda, identifying speakers and presenters, travel and honoraria for speakers and presenters, and for the preparation and dissemination of meeting materials. Meeting participants will be responsible for their own travel and per diem costs.

The rfp issued by the recipient of the contract states:

• 
  The Technical Proposal shall clearly describe the approach, process, scope, and possible outcomes for the different types of requirements called for under this contract. The Technical Proposal must clearly describe how the state will complete a number of critical tasks, representing statewide interests. For example, the Technical Proposal must describe how the state will:
• Organize the steering committee and working groups to examine statewide privacy and security policies and business practices regarding electronic health information exchange and the current legal requirements in the state that may be driving those policies.
• Convene and work closely with a wide range of stakeholders throughout the state, representing statewide interests, which have a stake in advancing interoperable health information technology.
• The entities shall include, but not be limited to, clinicians, physician groups (primary and specialty care) and other providers, federal health facilities (i.e., Department of Defense, Indian Health Service, Department of Veterans Affairs), hospitals, payers (including employers that sponsor group health plans), public health agencies, community clinics and health centers, laboratories, pharmacies, long-term care facilities and nursing homes, homecare and hospice, correctional facilities, professional associations and societies, medical and public health schools that conduct research, quality improvement organizations, state government entities (Medicaid, public health departments, etc.), and both individual consumers and consumer organizations.
• Identify any challenges that existing privacy and security policies and laws pose to interoperable health information exchange.
• Identify best practices and solutions for maintaining privacy and security protections while enabling operation of a health information network.
• Develop an implementation plan to address organization-level business practices and state laws that affect privacy and security practices in order to permit interoperable health information exchange.
• Identify the intersection with, and build upon, existing state and regional interoperability efforts (if any)
• Participate in regional and national meetings with other states to share knowledge and collaborate on health information exchange privacy and security issues and related issues.
  

Evaluation Criteria:
The Technical Proposal shall be evaluated against the requirements set forth above. The Technical Proposal shall also be evaluated on the completeness, reasonableness, clarity, and feasibility of the approach to satisfy the requirements of each individual task of the Statement of Work.


An OMB Memo concerning the Paperwork Reduction Act states: that the "PRA requires agencies and OMB to ensure that information collected from the public minimizes burden and maximizes practical utility. "

From a preliminary analysis, the answer to the above questions seems to be "we don't know." But the primary purpose of these questions is not a retrospective critique but instead an progressive attempt at fostering additional efforts to create the types of change essential to the advancement of HIT.

Legislation - some pointers

Murphy-Kennedy - 21st Century Health Information Act

http://www.govtrack.us/congress/billtext.xpd?bill=h109-2234

A Primer for EHR Licensing Agreements

Daniel F. Shay of Alice G. Gosfield and Associates, P.C. has posted on thie web a pre-print entitled "A Primer on Electronic Health Record License Agreements." This publication is to appear in the Health Law Handbook. It covers scope, liability, waivers, data ownership, sub-licensing, and many other important topics.

• Follow this link for the PDF pre-print

Ms. Gofield also partners with James L. Reinertsen in an informative endeavor called "uft-a." This collaboration attempts to apply a unified field theory to health care, focusing on quality. Numerous publications and presentations are available at the uft-a site.

• Follow this link to the uft-a site

Open Health Records Exchange

Kiki Shuxteau from the Volunteer eHealth Initiative reports the following open source item from a newsletter:

Open Health Records Exchange (OpenHRE) is participating in a national prototype health records exchange project. On Wednesday June 1, 2005 Connecting for Health announced a demonstration project featuring three communities testing the Record Locator Service (RLS). The demonstration is expected to be completed in the third quarter of 2005. Connecting for Health is a public-private collaborative designed to address the barriers to development of an interconnected health information infrastructure in the United States. OpenHRE is an open source project devloping a standards-based, scalable, multi-level Record Locator Service with federated records exchange and secure access control. The OpenHRE RLS is based on the OpenEMed project.

IHE - Integrating the Healthcare Enterprise

IHE is an organization created "to improve the way computer systems in healthcare share information. IHE promotes the coordinated use of established standards such as DICOM and HL7 to address specific clinical needs in support of optimal patient care. Systems developed in accordance with IHE communicate with one another better, are easier to implement, and enable care providers to use information more effectively."

Their web site provides a number of technical documents that address technical interoperability. These are highly technical in nature. An example is a draft document on cross-enterprise user authentication.

PKI that Rings

In the May/June issue of the Journal of the American Medical Informatics Association, Ulrich Sax, Zak Kohane, and Ken Mandl discuss the value of using cell phones as a means of providing strong identification for individuals by rcreating registration authority and an identification service. The full-text article (PDF) is available. Many of the 62 citations are also worth a look.

To cut to the chase, examine the following scenario (quoted from their article):

"Helen arrives at an emergency department and wishes to authorize access to her personally controlled health record. She uses her cell phone to call the toll free number of an authentication service. A challenge message is sent to her handset. The handset decrypts the message and encrypts it again with the private key stored in the USIM. To enable the USIM to re-encrypt the message, Helen is prompted to key in a personal identification number, which she has chosen and committed to memory. Helen is then prompted to key in the hospital ID number prominently displayed over the triage desk. Responding in the affirmative, the authentication service contacts the PHR, Helen's record appears on the registration screen in the emergency department, and hospital staff is granted web access to portions of the record, set according to Helen's pre-specified preferences."

The authors begin their article with the conventional wisdom of using two of the following four criteria:

• something the user knows
• something that indicates where the user is
• something related to who the user is
• something the user carries

The authors then describe the current and future PKI capabilities of the various cell phone technologies in use in the United States and describe how the system could be used in health care applications.

They also identify major challenges, including:

• Expanding the telecommunications infrastructure and busienss models to support medical applications
• Consumer awareness and technical factors affecting useability
• Contingencies. They mention that 10% of cell phone subscribers say they will chane plans in the coming year. They mention the challenges associated with pediatric care and the need for multilayered access approaches ranging from weaker methods like name, password, and information the patient would know. They suggest that there may be a corresponding multi-layered access of information corresponding to the strength of authentication.

This is one of many thought-provoking articles addressing how "smart cards," call phones, and other commonly used consumer identification methods may be applied to the health care setting. The central lesson in it all: not only may the health care system may not have to start from scratch, but that efforts that do not take into consideration the growing number of authentication techniques will probably fail.

Selected Computer Security and Identity Links

The Liberty Alliance . The Liberty Alliance is a world-wide consortium created in 2001 to address the technical, business and policy challenges around identity and identity based-Web services.

At the heart of the Alliance are five expert groups (quoted from the Web site):

• Technology: The Technology Expert Group is in charge of creating the Liberty Specifications and driving the development of sample implementation and interoperability tests.
• Public Policy: The public Policy Expert Group drives dialogue with government and non-government groups concerned with the many issues pertaining to identity and data management and ensures that the Liberty specifications enable compliance with pertinent laws and regulations.
• Business & Marketing: The Business & Marketing Expert Group is tasked with identifying market requirements and driving adoption of the liberty specifications. It is also the central point for all the Alliance’s communications and drives the creation of Liberty’s Business Guidelines.
• Conformance: The Conformance Expert Group defines and manages the process for validating vendor interoperability and manages the overall conformance testing program
• Services: The services Group defines and manages the process and development for creation of new identity service specifications

A useful glossary can also be found at the site.

Markle Foundation's Connecting for Health initiative. Numerous efforts in the works. One notable foundational work is their Privacy and Security working Group Report. June 5, 2003 [PDF]

NMI-EDIT. The NMI - Enterprise and Desktop Integration Technologies (EDIT) Consortium, - is part of the NSF Middleware Initiative (NMI). It's goal is to improve the productivity of academic scientists and higher education. Membership in NMI-EDIT consists of Internet2, EDUCAUSE, and the Southeastern Universities Research Association (SURA). Their development efforts comprise a coordinated set of core middleware tools in the areas of identity and access management architectures, standards for deployments, related directory schemas, and tools. Current major projects include the Signet privilege and Grouper group management, and Middleware Diagnostic tools, and the Shibboleth technology.

Transportation Worker Identification Credential. TSA has tested a system-wide common credential that can be used across all transportation modes. TWIC can be used for all personnel requiring unescorted physical and/or computer access to secure areas of the national transportation system. It was developed in response to threats and vulnerabilities identified in the transportation system and in accordance with the legislative provisions of the Aviation and Transportation Security Act (ATSA) and the Maritime Transportation Security Act (MTSA).
The TWIC will positively tie the person to their credential and to their threat assessment. The credential can then be used with the local facility access control system to allow unescorted access to those in possession of a valid TWIC card.

The program is currently preparing for production. The Prototype test was successful and ended on 30 June 2005. The first two phases involved developing the plan for the program and evaluating the data storage technology. The third phase has tested the business processes that include enrolling workers, conducting the security assessment, issuing cards and daily usage of the credential.

TSA and the United States Coast Guard (USCG) have jointed to develop a proposed rule to implement the TWIC for the maritime mode. As a result of this effort, USCG is providing significant input to TSA regarding the impacts and processes involved in a future TWIC program. TSA and USCG have issued a joint New Proposed Rule Making (NPRM) that outlines various requirements and applicability for the TWIC. The regulation will seek to achieve the security benefits that Congress expected when the MTSA was enacted without imposing unnecessary burdens on the regulated community. The Credential was introduced at 26 different sites including ports in the East/West and Florida. Each site used a biometric technology to provide authorized transportation workers access to controlled areas.

The TWIC Program will enhance security at U.S. transportation facilities while boosting the efficiency of commercial activity. Up to 850,000 maritime port transportation workers are expected to participate in the initial rollout of the program over eighteen months starting by the end of 2006. This initial effort will include enrollment centers in 125 different ports located in 38 states.

Selected Markle Connecting for Health Links

The Connecting for Health Home Page is the definitive source.

• Privacy and Security Report - June, 2003. PDF
• Data Standards - June, 2003. PDF
• Preliminary Roadmap - June, 2004. PDF - large file
• Financial, Legal, and Organizational Issues. PDF
• ONCHIT Response Overview - January, 2005. PDF
• Linking report - Feburary, 2005. PDF

Overview

This site will be used to post links to documents that address the technical issues surrounding eHealth data exchanges and their policy implications. Topics will include:

• Access (T-1)
• Security Policies (T-2)
• Securitiy Practices (T-3)
• Security Standards (T-4)
• Technical Standards (T-5)