John D. Halamka, MD, MS, is chief information officer of Beth Israel Deaconess Medical Center and chief information officer and dean of technology at Harvard Medical School.
What responses are you getting from your suggestion that Meaningful Use be dissolved and rolled into other CMS programs?
I would say 95 percent of the responses that I’m getting are very favorable. They say that the last five years has been like running a marathon every day. There’s a point at which you’re tired. You have to step back and say, "We’ve run a long distance." Now, how do we take that next step?
People of course say there’s some subtlety to moving forward, such as the Medicaid program was really about taking those without resources and funding them, as opposed to the Medicare program, which was initial funding followed by penalty. So when you say, “eliminate the program,” do you really mean no longer pay Medicaid providers to finish their implementations?
That’s not at all what I meant. Which is to say, let’s get away from the idea of penalties on the Medicare side. Keep our Medicaid program still going, because if you’ve not finished your implementation, we’ve got to get that done. Instead of being highly prescriptive about the Medicare must-dos and the penalties resulting if you don’t, let’s offer some outcomes and let’s offer some variability. People have made that subtle comment.
One of the things they’ve also made a comment about is that I have recommended this FHIR standard. It’s something that is seemingly forward-looking. It’s the sort of thing Google and Amazon and Facebook would do. Some in the industry have said, yes, but there are some existent standards that are widely deployed. So maybe instead of just saying it must be FHIR and only FHIR, can you tolerate a transition period where some of the incumbent standards are used where they’re appropriate?
Of course. Being a reasonable person, I recognize change doesn’t happen overnight. You can’t go from a skateboard to a flying car. You might have some intermediate states. That’s recognized.
People have also commented, "Did you really mean to be negative about ONC?" What I tried to say … you write a lot, so you know it’s hard … I absolutely am not critical of any person. All I’m asking is, is the set of ideas, of getting very prescriptive and elaborative about the certification process, really a good idea? I think the answer with the certification rule is, it’s just too expansive in scope. It’s just going to be too hard for stakeholders and especially developers to hit all the details that are in that rule.
The problem is that every time you give a developer an “or,” it means “and.” They’re going to say, "You could do it this way, or you could do it this way, or you could do it this way." There are customers who are going to ask for each of the variations. Really what it does is it takes our healthcare IT developers out of commission for a couple of years.
That’s really what I was getting at. People at ONC are very hard working and very well meaning, just probably as you pointed out early in the conversation have been so heads down in the details that they didn’t really look at the forest — they were looking at the bark. So, let’s step back.
Another thing that people have said is, "Did you really mean to eliminate all kinds of certification?" What I was getting at by saying let’s focus — if there were just three goals, maybe the right answer there is there’s still some kind of certification process, but it really is very narrow.
An example I can give you is if you went out to Best Buy today and you bought a DVD player, it will have a little Blu-ray symbol on it. You can expect that when you get it home and you plug in a Blu-ray disc, it will play. What I was saying is that we should focus on three things, such as can you use FHIR to do a push of data or a pull of data or get a patient to pull their data? You could imagine — of course I’m making this up as we go — that there are three little labels that you could be putting on the EHR package analogous to the Blu-ray label, so that you know when you got the package home, I will be able to push a payload to a trading partner or pull data from a foreign EHR.
Certification today is a multi-man year exercise where you are asked to enter a ZIP code and come back the next day and prove the ZIP code is still there. It’s just onerous, as opposed to a very narrowed set of, “When you take this home, it will do this.” Two or three things, not a thousand.
That’s the feedback. That’s the summary of what I’ve heard back.
You seem to be frustrated lately that the government is more involved in everything: HITECH, HIPAA, and ICD-10, all enforced through Medicare. Do you think CMS has too much influence on what happens in the exam room between a provider and a patient?
I do. I’m not partisan in any way. It’s not that I have a Republican agenda or a Democratic agenda. I just try to have a multi-stakeholder agenda.
Here is an example. If Meaningful Use said, "We’re going to count the number of transactions you did,” but yet those transactions which I counted were actually not helpful to coordinate patient care or respectful of the patient’s wishes, was it really meaningful to count transactions? Here’s an example. You must, for a transition of care summary 5 percent of the time, ensure that from Provider A to Provider B, a package of stuff is sent. It turns out that package of stuff may be a bag of smelly garbage. That is, it’s 1,094 pages of completely unhelpful information, but I can count it in my numerator.
Wouldn’t a better measure be as a doctor, nurse, social worker, or physical therapist were you actually able to coordinate the care of this patient because you received the information that you thought was helpful to do so, somehow? As you know, I don’t have stock in any company. I don’t endorse any organization, so this is an exemplar. KLAS gathered together Cerner, Epic, eCW. Meditech, Athena, Surescripts, and others. If we want to look at the experience of data sharing rather than transaction counting, what questions would you ask?
Here’s a perfect example where the private sector said, we are very willing, in a Consumer Reports-like fashion, to have an independent entity call up 100 of our customers and ask them all these experiential questions which then will reflect — almost like a Yelp review — on the experience of interoperability with our product. That to me is a far better approach than CMS counting the number of bags of garbage that you sent.
What KLAS is proposing presumes that providers really want to share data with their competitors, at least on some occasions. Do you think customers are really demanding interoperability?
The United States has global capitated risk, bundled payments, and valued-based purchasing that’s been going on for five years in Massachusetts. Yet you go to the Midwest and there’s still fee-for-service.
Let me reflect on New England. We today at Beth Israel Deaconess have 1 billion dollars per year of bundled payment, risk-based contracts. We have told every doctor in our community it is not possible to manage risk unless we have, at every transition of care, about 150 data elements to understand what care was delivered. What’s the care plan? Who’s the care team? What’s the next bit of care the patient needs? What are the diseases we’re monitoring?
What you find, at least in our area, it isn’t even a question of siloed data, information blocking, or competitive whatever. It is an existential question. If you do not share data, you can’t survive, because we are paid for wellness, not sickness. I think a much more potent motivator than Meaningful Use or stimulus or compliance or penalty is this idea of, I will pay you when the patient is healthy or give you a fixed amount to keep them healthy. That eliminates these competitive kinds of barriers in information exchange.
Health systems haven’t done a good job at managing wellness or overall health outside of their own facilities. Are they capable of making the change from episode-driven care to population health management?
I just looked at our Pioneer ACO experience. I recognize that the Pioneer ACO program has very mixed outcomes. But at least at Beth Israel Deaconess, where we have 450 locations of care, we have gone beyond what we would call the EHR and now focus on the care management medical record.
At our ACO, we have a single, normalized database that receives all the Meaningful Use transactions from every one of our clinicians and hospitals and urgent cares and SNFs and all the rest. Then the care managers are looking for variation. They’re looking for gaps in care. They’re looking for opportunities. They’re looking at risk and these sorts of things.
I’m told we’re the #3 ACO in the country and the #1 in New England because of our capacity to reduce cost and improve quality with this care management medical record approach. You’re correct that the off-the-shelf products that exist today don’t do that very well, but it is certainly possible to use technology to accomplish the goals of, as MACRA will suggest, value-based purchasing.
The mainstream press and politicians seem to be paying attention the reactive phrases “gag clauses” and “information blocking.” Are big health systems using their EHRs to reinforce their market power?
When I say I’ve never seen information blocking — this is like the Loch Ness Monster, often talked about, but never seen — people do comment that information blocking can take many forms. Like a hospital that is technically not capable of sending information or a hospital that is 200 miles away from a referring physician and hasn’t quite got to the data transmission to those in the periphery. Again, speaking from Massachusetts, I have not seen hospitals and doctors use information blocking as a competitive weapon, thinking that if it’s my data, I will retain the patient and I will make more money.
In fact, I’ve quite seen the opposite. That is, there is this sense that if I need data for managing care and you need data for managing care, we had better bilaterally exchange data because it is no longer a competitive advantage to maintain a data silo.
The only time I’ve seen sluggishness in the transmission of data are for the reasons that I mentioned. That is, technically maybe a vendor or an IT department isn’t quite familiar with the technology. Or that there’s a Pareto diagram of all the clinicians we interact with and we’re going to start with the ones that are close, while the ones that are 200 miles away, we’ll get to. It’s not volitional. It’s just a function of resource.
What do you think of ONC’s proposed health IT safety center?
I have to read more about that. As I’ve read the various presentations about it, the concern that we have is that as we introduce new processes and technology, sometimes we create new errors and that we don’t really discuss those new errors in an open way. In New England, we have a patient safety organization which comes together to openly discuss these in a what I call a blame-free environment. I think that’s the notion of what ONC is trying to do at a national level.
I’ll give you a silly example. It’s not true, but it would illustrate the problem. If you came to me with high blood pressure and I wrote you for atenolol, which begins with A-T, I would never on a piece of paper write anything other than atenolol. Of course you couldn’t read it, but it would say atenolol. Whereas if I had an EHR that had a Google-like look-ahead feature and I started typing A-T and the first thing that came up was Ativan and I clicked on it and I was giving you Ativan, I’m giving you now something that’s an antianxiety drug instead of an antihypertensive.
That is a an error of commission. That is an error of technology that would have never happened in a manual process. I think those are the sorts of things that we identify locally in Harvard that ONC wants to see at a national level and Congress wants to see at a national level, enumerated and fixed.
Are EHRs poorly designed or are doctors just unhappy with the information insurance companies and the government require before writing them a check?
Probably there are a couple of answers to that. This usability question … I’m sure you’ve heard many, many people quote Justice Potter: "I have no idea what usability is, but I know it when I see it." Having an objective metric of usability … NIST is trying, but it’s hard.
Why are there usability challenges? I could argue Meaningful Use itself creates usability challenges. If, for example, there is a quality measure that says I must, in my denominator, only include people that have had strokes less than two hours ago. "Mrs. Smith, did your husband start talking funny one hour and 59 minutes about or two hours and one minute ago?" I now need to literally build a pop-up in the middle of my EHR workflow with a question about the timing of the stroke. It would never be part of my normal clinical data workflow.
As we do all these quality measures, as we do more and more structured data capture, what you find is that these vendors are having to add on all of these fields outside of workflow. That creates enormous usability problems.
One of the members of the Standards Committee said that they had actually done a usability analysis of how many clicks a nurse must use to admit a new patient and to document that new patient admission. The answer was 523. That was really just a function of all the regulatory mandates that require all the structured data capture.
I think we would all agree that each of the federal mandates on its own is a noble thing. All of us think domestic violence should be identified and treated, but that is just one of 100 structured things you ask on admission, "Do you feel safe at home?" That just creates real usability burden. Of course, one asks, are there other ways one can do this, such as a natural language processing or ways in which a free text entry is parsed by a computer and the clicks are reduced?
One of the things that I have suggested to Karen DeSalvo — and I think she recognizes it as a good idea —is maybe a certification criterion for the future is, “Did you eliminate the number of clicks by 50 percent?” Part of that has to be that the regulations were simplified so that we could.
I always assume that if one EHR requires 523 clicks, others might be 518 or 591. It’s not as though one vendor approaches things so differently that only they have problem with the number of clicks.
I would agree with you. Although, I live in a Web-mobile world. If you look at the user possibilities in a Web-based or mobile-friendly framework versus one that was more based on a client-server framework, I think you can probably achieve a better user experience on the Web than client-server. Many, many people debate that and I have no objective evidence to back it up, so it’s purely my bias.
First, reduce regulation. Secondly, as we move to different kinds of technologies on the client side, probably the user experience will be enhanced.
Direct messaging never seemed to get the traction people expected, maybe because nobody ever took the responsibility to publish and manage a Direct address directory. Does Direct still have relevance in interoperability?
Here was the problem with Direct. As you say, whatever we chose — it could have been FTP, it could have been REST, it could have been SMTP — it depends on an ecosystem, not a standard. Dave McCallie, I think, wrote a guest post on my blog saying, “Standards are necessary, but insufficient.” So to say, “We will mandate Direct" was a lot like saying, "We will mandate you to drive a car, but we won’t have any highways.” How come you aren’t driving? Well, let’s see. We don’t have road signs and we don’t have maps. We don’t have any laws or governance. It’s pretty hard to drive.
What should have happened with Direct is it should not have been mandated as fast as it was. It should have been encouraged and an ecosystem developed first. You’ve seen what I’ve written about things like a provider directory. It’s pretty hard to have successful Direct messaging in a community unless somebody has a directory of places to message to. DirectTrust, of course, is trying to work on the directory and certificate bundles and that sort of thing. When the Meaningful Use Stage 2 requirement was launched, DirectTrust didn’t have all that stuff built. Surescripts is trying to do the same thing.
You’re starting to see private industry building the missing enablers. As I wrote in the blog piece, some enablers may be government based. Some may be private industry based. Or you might have both. But it’s pretty hard to mandate the Direct protocol before the enablers exist.
Healthcare IT always gets stuck with some mandate that moves us sideways instead of forward. Are you concerned that we’ll chase data security with nothing really different than it was before?
You might guess that I spend a vast amount of my time on information and security. The challenge is, I mean, sure, go invest $5 million in technology. That won’t help you so much. You are going to be as vulnerable as your most gullible employee. What we’ve found is that you must invest, sure, in detection, prevention, and all the good things like firewalls, antivirus, and malware prevention, that sort of thing. But you also must educate every member of your workforce and you really have to reinforce that education.
For example, we have an internal, self-created phishing campaign that we use to test our employees’ knowledge of, “I just emailed you a password reset message with a URL in China. Did you click on it or not?” Of course, beyond that, you need very good policies, policies that people can actually comprehend. When I tell you, "You had better not show up at work with an unencrypted device," what does that mean? What kind of encryption? How do I do it? Be very specific. It’s hard to hold employees accountable for doing the right thing unless you show them how to do the right thing.
I tell people security is a process that will never be done. It isn’t a discrete project that you do once and forget. It’s technology. It’s education and policy. We can do it, as you say. It’s certainly an effort. It takes a lot of resource, but done right — and I think we can do it right — it’s an enabler.
Some of your CIO peers have told me they don’t stand a chance in trying to defend against a nationally sponsored, sophisticated cyberattack. Does government have a role or can something else be done to help individual health systems protect themselves?
There’s probably a couple of answers to that. Threat notification — that’s certainly important. That’s where, yes, the government has now crossed multiple industries, tried to create enabling legislation to share cybersecurity threats and vulnerabilities and do that in a way that can protect us all. So yes, we probably need to do that.
Harvard was attacked by Anonymous in 2014 with a massive distributed denial of service attack. This was published in The Globe, so I’m not revealing anything that is a secret. Was Harvard ready for a massive denial of service attack by a hacktivist group? That wasn’t one of the threats that anyone had enumerated as likely. So sure, the government can help us with that. If there is a mechanism of using government to help with forensics when you’re getting these kinds of attacks that are virulent and new, probably the government has more resources than an individual hospital.
I suppose one thing I would say is enforcement by OCR and OIG and other folks has to be done with an eye to, what is the community standard? If I see you as a patient and I do everything per the community standard but you still die … I mean you could sue me, I suppose, but generally malpractice looks at, was the standard of care followed, regardless of outcome achieved? If I put in intrusion detection and prevention and malware this and that and mobile encryption but still a state-sponsored cyberterrorist penetrates me? Probably I did everything I should have and I couldn’t defend again this highly virulent attack. Not my fault. You sort of hope OIG and OCR and others recognize it’s a community standard question not a, “I avoided all breaches forever,” because we will never all avoid breaches.
Do HIPAA fines and regulatory action need to be changed in some way to be less punitive and more constructive?
I certainly think that government regulators have to enforce based on volitional, “I spilled data because I actually gave it to somebody that I shouldn’t have,” or what I’ll call egregious malpractice. "I bought a wireless access point at Best Buy and put it on my data center," as opposed to, “I’ve had two publicly reported breaches over the last two years, neither of which I could control.”
As an example, if a doctor goes out to the Apple store and buys a device and thinks that adding a password to the device is the same as encryption and then the device is stolen but it was a device I didn’t even know about. Of course today, I the CIO am accountable for this device purchased at the Apple store that wasn’t encrypted. Of course, we do everything we can to now educate and anything we buy we encrypt, and all the rest. We did our best.
So, guys, what should we do? Tackle every individual who enters our building carrying a non-encrypted technological device? It’s not technologically possible. Recognize that there are gradations of things we can do and can’t do. Hold us accountable for the things we can do and recognize that education is often the best we can do in many circumstances and decide that that’s OK.
You mentioned in your write-up about the Meaningful Use program that it may have stifled innovation. What kind of innovation do you think healthcare or healthcare IT needs and what’s the best way to achieve it?
I have 19 developers total at Beth Israel Deaconess. Remember, we still self-build our EHR. It isn’t that Epic and Cerner and Meditech and Athena and eClinicalWorks or whoever are doing a bad job. It’s just that the kind of things that our clinicians have demanded and the prices we can afford to pay mean that building still works for us.
Look at the Meaningful Use “Statement of Burden.” I’m sure you’ve read all those thousands of pages. You look at these burdens like, “It will only take you 30 man-years to certify your EHR.” You’re like, "I have 19 people, total." Instead of working on Apple Watch medication reconciliation for elders in their home, I am now doing certification scripts. That’s where it has truly paralyzed my development shop for the last three years.
The kinds of things that our patients are asking for are more mobile technologies, more patient and family engagement, more what I’ll call family decision support, better access to information. There’s all these things that you would think, “Oh, if we were a customer service-driven organization, we would naturally offer them.“ But we have a choice — customer demand or federal regulatory stimulus and penalty. For the moment, we’ve got to go with regulatory demands.
People will then criticize me and that’s OK, saying "See, you shouldn’t self-develop. You should just go buy Epic and Cerner or whatever.” That’s fine, but Beth Israel Deaconess for 30 years has had this idea that innovation happens in the trenches, and that probably it’s a good idea to have a doctor code and come up with something that is solving a problem they saw today rather than wait a few years for a vendor to include it as a feature. Wouldn’t you love to have doctors and pharmacists and nurses and social workers creating software that solves real-world problems? Isn’t that the kind of innovation that we want to support?
What patient-facing technologies are you using or considering?
Recently we launched a program in our ICUs called MyICU. You’re familiar with various patient portals and these sorts of things. If you’ve ever had a loved one in an ICU or been in an ICU yourself, you know there’s a dizzying amount of data, but not a whole lot of information and wisdom.
What we’ve done is create an iPad app that shows patients and families –we’ve just written a paper that you’ll see published in JAMIA shortly about how we decide, based on patient privacy preferences, to share information with what family members and how does that work if the patient is intubated debated and that sort of thing – but it’s essentially a real-time dashboard saying, here are the goals that you have for today in this hospitalization. Here are your preferences for care. Here’s how the patient is doing against those goals. Here are the events of today. You’ve built this closed-loop information system with messaging back and forth between care team and patient and real-time interpretation of data into wisdom. Suddenly patients and families are saying, wow, I’m really an equal partner in my care here.
My father died two years ago and was in an ICU. Of course they said, "You know, his ejection fraction is 20 percent and his O2 sat on a non-rebreather is 82 percent and his creatinine has gone from three to five." Of course my mother goes, "Uh, and?" This app wouldn’t show you that. It would say the goal was to get him off a ventilator and that’s now red, so things aren’t looking so great. Or, we want to make sure that his organs are doing well, but that’s red, so they’re not. The kind of thing we’re focused on is not just raw data, but wisdom.
Is it hard to reconcile the science of informatics that could be versus the reality of what has to be?
Doug Fridsma, who is now the CEO of AMIA, and I had this discussion during the conference. He said that AMIA is striving to pivot from being a research-oriented group — the sort of folks that are in a lab and they’re more or less trying to push the envelope of possible — to a gathering of applied informaticians who are asking, how do you take Epic and optimize the care plan? Or, how do you take Cerner and do population health?
It’s exactly the point you make, that it’s probably a great use of all the smart people in our country to optimize the things we are seeing in the trenches as opposed to just work in the laboratory. That’s really what they want to do.
Do you have any final thoughts?
You may glean from some of my writing that there’s a hint of pessimism. We have been overwhelmed with Meaningful Use, ICD-10, the HIPAA Omnibus rule, and the ACA. The government has co-opted our agenda. Many of those great people in government who we worked with early in the Obama administration when there was hope and change have left.
I want to make sure the readers know that I’m incredibly optimistic about the future. What I see is that we are going from an era where we’re following regulatory requirements to an era where we, in theory, will be incented to innovate based on new kinds of payment models. Therefore, we actually will see – not one top-down command and control, this is what you must do, enumerated list of prescriptive regulations – but if you want to give all the 80-year-olds Apple Watches and monitor their vital signs and have visiting nurses come to their homes and keep them out of the hospital, we’ll reward you for that. Oh, but you don’t like Apple Watch? That’s OK, you can do something else.
I really feel that we’re on this cusp of moving to a new kind of work where we’re going to run lots of pilots. We’re going to learn. That’s really, I think, what the Institute of Medicine ultimately wants us in the next 10 years to be, is this learning healthcare system that tried a lot of things. Many of them will fail, but when they succeed, we’ll share them broadly.
That’s why I maintain my optimism. That’s why I come to work every day. That’s why, after 20-some years, I’m still a CIO.