HIPAA, HIPAA, Hooray?: Current Challenges and Initiatives in Health Informatics in the United States.

A review of the current challenges, trends and initiatives around the various regulations as related to Health Informatics in the United States is presented. A summary of the functions in a workflow-based approach organized into the process and compliance for HIPAA, secure email and fax communications interfaces, e-prescriptions and patient safety and the health information technology savings claims versus costs follows: HIPAA compliance is complex; data interoperability and integration remains difficult.Email and faxing is possible with current over-the-shelf technologies within the purview of the HIPAA Security and Privacy rule.Integration of e-prescribing and NPI data is an area where health informatics can make a real difference.Medical errors remain high.There are no real savings yet from the usage of health information technologies; the costs for implementation remain high, and the business model has not evolved to meet the needs.Health Information Technology (Health IT) projects continue to have a significant failure rate; Open Source technologies are a viable alternative both for cost reduction and scalability. A discussion on the macro view of health informatics is also presented within the context of healthcare models and a comparison of the U.S. system against other countries.


Introduction
One editorial observer noted that the Health Insurance Portability and Accountability Act (HIPAA) 1 was "Health Care's Giant Hairball" 2 after Gordon MacKenzie's observation of the layering and addition to bureaucracy in his book 'Orbiting the Giant Hairball', where he notes that "every new policy (or regulation, system, procedure or form) is another hair for the hairball. Hairs are never taken away, only added." The corporate and bureaucratic ecosystem around the hairball is "a Gordian Knot of corporate normalcy." This paper is a review of the current challenges, trends and initiatives around the various processes and regulations, as related to Health Informatics, and is organized into the process and compliance for HIPAA, secure email and fax communications interfaces, e-prescriptions, the national provider identifi er, patient safety, the health information technology savings claims versus costs and a summary discussion.
The secure portability and accountability of patient and insurance information requires the increased use of information technologies. However, the U.S. healthcare system has several disparate components: Medicare, Medicaid, private insurance, VA and government insurance, out-of-pocket and uncompensated care. A macro-informatics view with the healthcare informatics workfl ow as the centralized component, and related components either using the workfl ow or affecting it, is shown in Figure 1 below:

HIPAA as Workfl ow
The Administrative Simplifi cation (AS) section of HIPAA, passed in 1996 by the U.S. Congress, primarily mandates the use of standardized electronic data interchange for healthcare transactions between providers, insurers and employers. The Security and Privacy Rule of the HIPAA protects patient, and in some instances, the physician information. A representative workfl ow is the Healthcare Provider-Payer workfl ow as shown in Figure 2 below: Radiology informatics has remained distinct from textual informatics owing to its image content. Another example workfl ow for secure data transactions for a Radiology workfl ow is shown in Figure 3 below utilizing the "Use Case" technique as described in the Unifi ed Modeling Language. 4 HIPAA compliance is complex from a data perspective: the interoperability and data mapping standards identifi ed by the Healthcare Information Technology Standards Panel (HITSP), which is sponsored by the American National Standards Institute (ANSI) 6

HIPAA Compliance and Case Studies
General guidelines for HIPAA compliance in the "Seven Habits" format 7 are as follows: 1. Document the policy and control environment. 2. Assign appropriate oversight of compliance management. 3. Require personnel screening and access control. 4. Ensure compliance through training and communication. 5. Implement regular control monitoring and auditing. 6. Consistently enforce control environment. 7. Prevent and respond to incidents and gaps in controls.
A HIPAA compliance case study 8 of Sharp Healthcare-with 2,600 physician offices and 400 IT applications serving nearly 3 million San Diego county residents found that 40% to 70% of the users of its various IT systems were not employees which directly affected the access control process of the systems involved as per the HIPAA privacy and security rules. The HIPAA Security Rule guidelines used during this study were: 1. Information System activity review 2. Termination procedures for user accounts 3. Information access management 4. Access establishment, modifi cations 5. Access controls 6. Audit controls, initiated by management A well publicized security breach of the Kaiser Permenante internet patient portal exposed the shortcomings within organizations with direct consequence for the HIPAA Security and Privacy Rule. 11 Lessons learned from this case study: 1. Complex, tightly-coupled computer systems aggravate security issues. 2. Security training is necessary but not suffi cient to prevent breaches, due to individual errors. 3. Security issues may signify broader organizational weaknesses. 4. Good information management and standard operating procedures are as important as the regulatory forcing of security issues.
Even homogenized healthcare systems like the British National Health Service (NHS) are not spared from the challenges in implementing new information technology systems: The £13 billion overhaul of the NHS has run into several problems in emergency, primary, outpatient, cancer and child-abuse care departments. The number of complaints regarding medical errors and delays has more than doubled from 5,500 in 2006 to over 14,000 in 2007. 53 Recent NHS problems with smartcards and integration into the Cerner Corporation (Kansas City, KS) Millennium Release 1 Care Records Service have also been reported. 54 From the case studies noted above, it can be inferred that Healthcare Compliance is cumbersome and complex, especially for integrating diverse monolithic systems, where data interoperability and data scrubbing is an ongoing quality issue. A little investment in domain expertise can go a long way. A good example of HIPAA risk workbooks and compliance checklist templates is the HIPAA outreach effort of the University of Wisconsin. 10

Communications Systems Compliance
The two critical communications components in any health informatics system that need to pass muster with the HIPAA Privacy are email and facsimile (fax) systems. A HIPAA security perspective of these components is presented below:

Secure email
Secure email messaging is a critical component of HIPAA, specifi cally the electronic Protected Health Information (ePHI). Messaging protocols like the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) and the Portable Document Format (PDF), which is now an ISO standard, are components that are readily available for integration into email and other electronic messaging applications. 12

Secure faxes
The drawbacks of traditional paper-based faxing technologies as a HIPAA compliance risk are summarized 13 with the following advantages of electronic or internet-based faxing: • Elimination of paper faxes, reducing the risk of data being seen or copied by unauthorized personnel to almost zero; • Elimination of the risk of a paper fax being delivered to the wrong person or being thrown away inadvertently; • The ability to store every fax electronically; either on the user's PC or a password-protected network server, assuring there is always a copy of important information; • Availability of 128-bit encryption and SSL when transmitting and receiving documents through the secure server method; • Greater accessibility to the information when the fax owner is off-site; • Easy integration with document management applications, eliminating the need to scan paper documents while making information more accessible to auditors and other authorized personnel.
Since TLS, SSL and PDF technologies are readily available and easily integrated with existing infrastructures, secure email and faxing is possible with current 'over-the-shelf' technologies within the purview of the HIPAA Security and Privacy rule.

e-Prescribing and the National Provider ID
The e-Prescribing initiative, a section of the Medicare Improvements for Patients and Providers Act of 2008 14 and the National Provider Identifi er (NPI) database 15 are critical pieces of the electronic healthcare workfl ow.
Electronic prescribing (e-prescribing) is the use of an automated data entry system to generate a prescription for pharmaceutical drugs, rather than the current paper-based system. 16 The per-seat cost for e-prescription systems in 2006 was approximately $1,500 to $3,000 with a monthly service fee of about $50. 16 Since HIPAA mandated the adoption of standard unique identifi ers for health care providers and health plans, the U.S. This is another area where health informatics can make a real difference toward the speed and quality of the transactions.

Medical Errors and Adverse Events
One issue within the health informatics that has yet to gain critical mass is the reporting and auditing of clinical, medical and billing errors in health care systems within the context of patient and insurance information. From the 2008 report of the American Hospital Association (AHA), there are more than 5,700 registered hospitals in the U.S. 26 The HealthGrades Patient Survey 18 studied over 40 million Medicare hospitalization records at approximately 5,000 hospitals between 2003 and 2005. The results, specifi cally for Medicare data, were disturbing: 1.16 million patient safety incidents (2.86% incidence rate) and approximately 250,000 preventable deaths and excess costs of $8.6 billion. Extrapolating it to the overall U.S. healthcare numbers (Medicaid, private insurance and VA), this is troubling, to say the least.
Two error reporting studies conducted by the American Academy of Family Physicians (AAFP) National Research Network (NRN), where 1265 medical errors were voluntarily reported by more than 440 primary care clinicians and staff from 52 physician offices. The analysis suggests that patients with complex health issues are vulnerable to more severe outcomes. 19 Of the total error reports related to medications, 194 were analyzed: 70% of the medication errors were prescribing errors, while each constituted about 10% of the total medication administration and documentation errors. 20 After recent, high-profi le drug reactions and interactions, 21 the Food and Drug Administration (FDA) is publicizing three 'road-map' initiatives: 1. MedWatch, the FDA safety information and Adverse Event Reporting (AER) program, with a quarterly safety report, 22 2. Sentinel, "a national, integrated, electronic system for monitoring medical product safety" 23 , and

ROI and the Savings Argument
Electronic healthcare records are the cornerstone argument for better HIPAA compliance. The Return on Investment (ROI) and savings arguments have been touted for implementing health information technologies using best practices. Most of the recommendations-client/server, standard operating procedures, anti-virus systems, accounts and role management, wireless LAN, backups, audit and logging, audits and quality practices-are standard IT infrastructure improvements that are providing marginal improvement outside the HIPAA context. 27 The glass half full The eHealth Initiative, a U.S. non-profi t organization that promotes health informatics policy advocacy and informal lobbying for health informatics initiatives, released the results of its fi fth annual survey on 11th September, 2008. 28 The survey included 130 community-based initiatives in 48 states. The survey created seven stages of a Health Information Exchange (HIE) "initiative": Stage 1 was recognition of health informatics as a concept and Stage 7 was a "fully" operational organizational HIE. Stages 1-4 are defi ned as pilot-stage projects, whereas Stages 5-7 are post-pilot "operational" projects.
The number of operational sites (stages 5-7) in the survey increased by 31% from the number in 2007, with stronger participation by providers, payers, patients and public health partners.

The glass half empty
Even the eHealth Initiative acknowledges that 82% of all respondents and 72% of operational initiatives responded that a sustainable business model was "very" or "moderately" diffi cult to accomplish.
In a statement to Congress, Peter Orszag, Director of the Congressional Budget Office (CBO) presented the analysis "Evidence on the Costs and Benefits of Health Information Technology" on July 24, 2008. 29 This study directly contradicted the widely quoted RAND Corporation 30 2005 report, which projected an annual savings estimate of $77 billion using health information technologies.
The argument of the CBO study was that technology on its own would not affect the savings equation, primarily due to the hard numbers: as of late 2006, only 11% of physicians and 12% of all hospitals in the United States have adopted health information technology systems (defined as electronic documentation of providers' notes, electronic viewing of laboratory and radiological results, electronic prescribing, computerized physician order entry, clinical decision support, and interoperability).
Large medical practices adopt health information systems at a faster rate: Only 16% smaller physical practices have "some sort of " health information system versus about 38% of larger practices and organizations. 29 Therefore, the commercial Personal Health Record (PHR, used interchangeably with electronic Health Record, eHR and Electronic Medical Record, EMR) initiatives and their features by Microsoft 31 and Google 32 are called into question, at least for the near future, for their integration to the various existing health information systems and promise of data security, in accordance with the HIPAA regulation. Neither system includes a HIPAA Security and Privacy compliance statement. 31,32

Risks, Costs and "Open-Source"
Most health information systems do not meet their goals as originally envisioned. 33 The defi nition of success and failure needs to be better defi ned and quantified using Risk Analysis and software Validation and Verifi cation. 34 A common theme of failures in Health IT projects is the "Design-Reality gap." 33 The issues that create these gaps between design and reality are: Information, Technology, Process, Objectives and values, Staffi ng and skills, Management and Other resources. Another important context for each of the issues for the Design-Reality gaps is the Hard-Soft gap-the hard rational design perspective that are standards and metrics based versus the soft political reality. Modularity in the planning process-that considers the risks and plans for the gaps, both Design-Reality and Hard-Soft-is a key success metric. 33 One of the largest risk factors for a PHR system is data sharing. Santa Barbara County, CA, faced most of the issues discussed here: cost, ROI, integration, back-up, maintenance, training and lost productivity during overlap and operation. The Santa Barbara County Care Data Exchange had to be shut down. However, the success of the data exchange platform of the Regenstrief Institute in Indiana is because 70% of the state uses it. 35 The U.S. Census Bureau shows the Santa Barbara county, CA, population in 2006 to be about 400,000; as compared to the population of San Diego county, CA, about 3 million-the same as the state of Iowa.
A PHR system for small group and single practice physicians costs $44,000 per physician, and has an estimated annual average ongoing cost of $8,500, the American College of Physicians President Lynne Kirk, MD, told the house Subcommittee on Regulations, Healthcare and Trade of the House Committee on Small Business in October 2007 and added that the business case does not exist to make this kind of capital investment.
This current Microsoft and Google PHR systems, in post-Beta stage, are negotiating with hospitals and insurance companies, but have not disclosed a revenue model. This raises the question of the most plausible revenue model: pharmaceutical drug and device advertising.
Since planning, implementation and maintenance costs remain the largest hurdle for funding and sustaining health informatics systems, the Open Source movement is a valid alternative to contain costs for health informatics implementation. 36 There is a vast amount of free-text information with confi dential patient and physician information in nursing notes, discharge summaries and radiology reports. This confi dential patient and physician information needs to be "de-identifi ed" (obfuscated) and a method for correlating the specifi c fi le back to the de-identifi ed information, the reverse process. Larger healthcare institutions average several terrabytes (10 12 bytes, TB) of annual data. This results in an average free-text data processing rate of about 20 MB per day. The HIPAA Privacy rule defi nes two methods to "deidentify" health information, both require electronic processing: (1) Remove 18 specific identifiers for an individual: Names, Geographic identifi ers, dates, telephone numbers, Fax numbers, email addresses, SSN, medical record numbers, health plan benefi ciary numbers, account numbers, certifi cate or license numbers, VIN and license plate numbers, device IDs or serial numbers, web URLs, IP addresses, biometric IDs, full face photographs and any unique ID. 1 (2) Use a qualifi ed professional to determine the risk involved in the deidenftifi cation process and document the methods and justifi cation for this opinion. 1 A good example of an open-source software program is the free-text deidentifi er 37 Perl 38 program called "deid" 39 . The 'deid' program processes about 10 MB per hour of free-text data with an average recall performance of 0.967. This software is released under the GNU Public License Version 2. 40 Another open-source protocol and application available for secure communications is the public-private key infrastructure called GNU Privacy Guard (GPG) 41 44 Open-Source currently faces a perception and user-facing-interface problem, which could be easily overcome since most applications nowadays are web-centric. The Health informatics community should be wary of the recent web-centric phrase d'jour: "Cloud Computing" and avoid its allure over the next few years. Risk and business requirements needs to drive the solution, not the technology. 45 Caveat emptor. It is evident from the macro-economic health models above that the U.S. healthcare model is a piece-meal patchwork of all the models used around the world. What is surprising and contrary to the increasing uninsured 46 and under-insured population 47 , is that the combined-income of 50 largest "non-profi t" hospitals in the U.S. (as defi ned by the American Hospital Directory) has grown from about $544 million in 2001 to about $4.27 billion, primarily due to a more than 160% mark-up of costs in 2005 (a 60% increase since 2000) 48 . Uncompensated care was 2% of the total number of patients covered by this total income. U.S. Senators, led by Iowa Senator Charles Grassley (R) are mounting pressure on the tax-exempt status of the non-profit hospital industry after several investigative newspaper reports. 49,50 A consensus from the discussion with the thought-leaders in the fi eld from various countries on the path forward for the U.S. healthcare system: 55 • Universal coverage-Medicare for everyone (long-term coverage not included) • Remove for-profi t competition among insurers and hospitals • Adjust risk for coverage from a pool of funds weighted toward ability to pay • Firm price controls (for doctors, drugs and paperwork) • If there are critical snags, get the doctors, nurses, hospital administrators and pharmaceutical industry at one table and provide deadline to resolve the issue-otherwise government decides The healthcare macro-models as related to the US healthcare system, derived from. 55 The Healthy Americans Act 51 proposed by the U. S. Congress and Senate for 2009 is a self-funded step in the right direction toward stitching together the disparate healthcare models.

Healthcare Economic Models
A common standards platform for healthcare data recorded and exchanged during clinical trials is another area of amalgamation of the Clinical Data Interchange Standards Consortium (CDISC) 52 with HIPAA.

Conclusion
From the above sections, the "take-home" message follows: 1. HIPAA Compliance is complex, especially for integrating diverse monolithic systems, where data interoperability and data scrubbing is an ongoing quality issue. A little investment in domain expertise can go a long way. 2. Email and faxing is possible with current overthe-shelf technologies within the purview of the HIPAA Security and Privacy rule. 3. Integration of e-prescribing and NPI data is an area where health informatics can make a real difference. 4. The reporting of medical errors and adverse events need continued input from the public, watchdog groups and whistle-blowers. 5. There are no real savings yet from the usage of health information technologies, the costs for implementation remain high and the business model has not evolved to meet the needs. 6. Health Information Technology (Health IT) projects have a significant failure rate like traditional IT projects and a disciplined risk mitigation along with standardized software validation and verifi cation would reduce the failure rate. Open Source technologies are a viable alternative both for cost reduction and scalability.
It should be noted that Health informatics technologies are powerful tools toward a solution, but not the solution itself. These tools are chipping away slowly at a fundamentally and systemically fl awed health care system. No large hoorays yet, but there is defi nite hope.

Disclosure
The author reports no confl icts of interest. The author has no disclosures or affi liations to any companies mentioned in this article.