Smart Card Talk : April 2011 : Feature of the Month

Getting to Meaningful Use and Beyond: How Smart Card Technology Can Support Meaningful Use of Electronic Health Records

Healthcare is at a pivotal point in its evolution–one that has been faced by many other industries which have made the painful transition from a paper to a digital infrastructure. The speed at which healthcare is moving toward electronic medical records has been accelerated by government legislation and incentives, but this pace may also be its downfall. Healthcare data is a sensitive and highly personal collection of information that requires extraordinary protection. At the same time, in order to derive value from electronic health records, this information needs to be readily available to healthcare providers, healthcare facilities, and even patients and their families to positively impact care quality, accuracy and cost. This seeming dichotomy of purpose makes the effective use of electronic medical records very challenging.

However, the challenge is not simply the implementation of electronic health records, but meaningful use of them, which entails a host of additional requirements for new and existing technologies in the healthcare, security and information technology industries. The U.S. government’s Health Information Technology for Economic and Clinical Health (HITECH) Act (part of the American Recovery and Reinvestment Act of 2009, or ARRA) has specific meaningful use criteria requiring all healthcare entities to use certifiable technology that has the ability to transform healthcare information into a standardized, electronic, accessible, readable and usable format. The criteria also require healthcare data to be kept confidential, private and secure, accurate, shareable with patients as well as providers, mobile and exchangeable, and readily available. Smart card technology and smart card-based systems can aid in meeting these requirements.

“Meaningful use” has become more than just a buzz word of the U.S. healthcare system–it has become the top priority of today’s healthcare industry. In 2010, the government, healthcare organizations, consumers and technology providers came together to move toward interoperable electronic health records that can transform the healthcare industry. This is the first of a series of articles that outline the ways in which smart card-based systems can better position healthcare organizations and providers for meaningful use of electronic health records.

Electronic Health Records and Meaningful Use

In July 2010, the Department of Health and Human Services’ (HHS) Office of the National Coordinator (ONC) issued a “Final Rule” defining and supporting “meaningful use” of electronic health and medical records (EHRs/EMRs) [1], with October 2011 set as the first cut-off date for receiving Stage 1 incentive funding. These funds are not trivial; a minimum average of $2-4 million in incentive funds will be paid to eligible hospitals, and tens of thousands of dollars to individual eligible providers, who both implement EHRs and demonstrating that they meet specific meaningful use criteria defined as a result of the HITECH Act.

While the Final Rule stimulated the healthcare industry to move forward with adoption of EHRs, it did not do much to ensure that the process of implementing new technology was done in a safe, secure and controlled fashion. Almost immediately, there were more questions than answers. For example:

  • How does an institution or vendor qualify for meaningful use certification?
  • How can an institution meet some of the more difficult criteria with technology that is available?
  • How do institutions prevent massive security breaches like the loss of a flash drive that contained protected health data for over 280,000 Pennsylvania consumers in September? [2]

The Smart Card Alliance believes that smart card technology and smart card-based systems can help to provide answers to these questions.

Climate Change in Healthcare Technology

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 stimulated the first concerted step toward conversion of paper medical records to computerized records in the U.S. healthcare industry. However, HIPAA provided no clear roadmaps, incentives or benefits for this costly and time-consuming process over the last 15 years, so most institutions and providers made little progress. The HITECH Act of 2009, however, brought change to the industry by focusing on key areas of use of electronic medical records and mandating that healthcare institutions implement new technologies (such as smart card and other technologies). Implementation is to be done under stringent guidelines, which the government will support, both developmentally and financially.

Newsweek described this healthcare technology climate change in an online article entitled “The Smart Set,” published in early 2010 [3]. According to the article, “…two recent changes to health policy will likely push hospitals in the direction of smart cards. First, the stimulus package puts $19 billion toward ‘utilization of an electronic health record for each person in the United States by 2014.’” The article goes on to describe how the HITECH Act integrates both incentives and penalties to put teeth in the requirements. “Moreover, new legislation, passed in 2009, steeply increases the fines for patient security breaches. Penalties that used to cap out at $25,000 can now go as high as $1.5 million. Taken together, these two changes push healthcare providers toward a system that is both electronic and secure.”

The HITECH legislation will require more sophisticated security controls for handling healthcare data. Encryption, two-factor authentication, and biometrics have all been cited as examples of technologies that should be considered to secure and protect healthcare data and systems. Noteworthy is the fact that smart card technology can be used to implement all of these technologies.

Table 1. HIMSS Analytics–US EMR Adoption Model™, 2007-2010 & HITECH Goals [4]

After more than a decade of attempting to move to electronic medical records, clinical documentation and patient information, the industry had only marginal success prior to 2009 (see Table 1). The ARRA/HITECH Act, however, has kicked EMR adoption into high gear. The Final Rule for meaningful use component pushes healthcare providers and institutions to move from paper-based data and infrastructure to electronic data and networked systems–a move that corporate business, banks, law enforcement and other industries made years ago. To assist the healthcare industry with the transition, the U.S. government will also be providing incentive payments to providers and institutions that go beyond mere implementation and actually demonstrate they are meaningfully using the new technology. The government is essentially using the traditional “carrot and stick” approach to motivate healthcare industry investment in new technologies and processes. The incentives are the carrots, and the stick–a system of penalties for failing to implement and meaningfully use and exchange electronic health records and patient information–will come into play in a few years.

To qualify for incentive payments, eligible hospitals and providers must use a “qualified EHR.” According to the HITECH Act, a qualified EHR must have specific technical capabilities, must support providers in achieving meaningful use objectives, and must be certified. According to HHS, the overriding reason for requiring certification for healthcare technology is to “provide assurance to purchasers and other users that an EHR system, or other relevant technology, offers the necessary technological capability, functionality, and security to help them meet the meaningful use criteria established for a given phase.” [5]

One of the primary reasons smart card technology is positioned to become such an integral piece of the new healthcare technology landscape is precisely because of its ability to assist in meeting meaningful use requirements: providing the technological capability needed for providing secure storage and access to EHRs, enhancing and improving EHR functionality and workflows, and ensuring security protocols meet and/or exceed the requirements of certification.

Meaningful Use Measures and Certification

The certification criteria for health record technology final rule [6] speaks specifically to requirements all technology vendors must satisfy to meet the meaningful use criteria. There are basically two portions of the rule–the functionality requirements and the framework requirements. While the specific functionality requirements determine whether or not an EHR can be certified as “complete” or as a “module,” the framework requirements are applicable to all types of healthcare technology.

The rule specifies that complete EHRs and modular EHRs must contain functionality that allows the technology to be “meaningfully used,” in order to qualify for Stage 1 meaningful use certification, and thereby qualify a healthcare entity for incentive funding. The exact distinction between “complete EHR” and “modular EHR” functionality is still unclear, but the Final Rule has been interpreted by most as meaning that a complete EHR is a certified primary system for storage, manipulation, retrieval and exchange of electronic medical/health records for an organization or provider. The complete EHR provides the majority of core meaningful use components but may need to work in conjunction with additional certified ancillary technologies to satisfy all meaningful use criteria. A modular EHR is a secondary certified healthcare technology system which provides at least one core or menu of meaningful use components; the modular EHR would need to work in conjunction with a complete EHR or another modular EHR to satisfy all meaningful use criteria.

Table 2 demonstrates how smart card technology and smart card-based systems meets the needs of the 16 Stage 1 meaningful use core measures, which are mandatory requirements for EHR, EHR module and health information exchange functionality for incentive eligible hospitals (EH) and eligible providers (EP) to implement by October 2011.

The rule also includes 12 Stage 1 menu requirements, 10 pertaining to eligible hospitals, and 10 pertaining to eligible providers. Both hospitals and providers must also complete 5 out of 10 of their respective menu requirements in order to qualify for incentives, including mandatory reporting of clinical quality measures. Key menu requirements where smart card-based systems can potentially be a key factor with a modular EHR include the following:

  • Use EHR technology to identify patient-specific education resources and provide those to the patient as appropriate
  • Record advance directives for patients 65 years of age and older (for EH)
  • Incorporate clinical lab test results into EHRs as structured data
  • Send reminders to patients per patient preference for preventive or follow-up care (for EP)
  • Provide patients with timely electronic access to their health information (for EP)
  • Perform medication reconciliation at relevant encounters at each transition of care
  • Provide summary care record for each transition of care and referral

While smart card technology on its own does not provide a complete EHR technology solution, smart card-based systems can be used by healthcare organizations to meet many of the Stage 1 core and menu requirements for meaningful use. Smart card technology is positioned to be a leading contender for designation as a modular EHR technology solution and provides many of the features and capabilities needed to comply with some of the more stringent requirements of HITECH and the later stages of meaningful use that will be phased in by 2015. [7] The integration of smart card technology with emerging EHR systems should be a top consideration for healthcare vendors looking to provide certified healthcare solutions to the marketplace.

Table 2. How Smart Card Technology and Smart Card-Based Systems Meet Meaningful Use Criteria

Meaningful Use Core Measure (CM) Classic/Complete EHR/EMR Solution [8] Potential Smart Card Technology Solution How Smart Card Technology and Smart Card-Based Systems Can Satisfy Meaningful Use Requirements [9]
1. Use a computerized physician order entry (CPOE) system Provider smart card can be used to authenticate user onto system
2. Implement drug-drug and drug-allergy interaction checking
3. Generate and transmit permissible prescriptions electronically (ePrescribing) Smart card can provide high assurance user authentication and can be used to digitally sign prescriptions to eliminate fraud and abuse
4. Record demographic information Patient identity and demographics can be encrypted and stored on smart card; the data can be read and written to at point of care [10]
5. Maintain an up-to-date problem list of current and active diagnoses Patient problem list can be encrypted, maintained and updated on smart card; can be read and written to at the point of care
6. Maintain an active medication list Patient medication list can be encrypted, maintained, reconciled and updated on smart card; can be read and written to at the point of care
7. Maintain an active medication allergy list Patient medication allergy list (can also include other information such as non-medication allergies, implanted devices) can be encrypted and stored on smart card; can be read and written to at the point of care
8. Record and chart vital signs Most recent and trended patient vital signs can be encrypted, maintained and updated on smart card; can be read and written to at the point of care
9. Record smoking status Patient smoking status can be encrypted, maintained and updated on smart card; can be read and written to at the point of care
10. Implement one clinical decision support rule and track compliance with it
11. Calculate, report and transmit CMS Quality Measures
12. Provide patients with an electronic copy of their health information upon request An electronic summary of health information can be encrypted, maintained and updated on smart card; can be read and written to at the point of care; patient can use smart card to access data through authorized kiosks, patient portals or printer devices
13. Provide patients with an electronic copy of their discharge instructions and procedures upon request Discharge instructions and procedures can be encrypted, maintained and updated on smart card; can be read and written to at the point of care at time of discharge; patient can use smart card to access data through authorized kiosks, patient portals or printer devices
14. Provide patients with an electronic copy of a clinical summary for each office visit upon request An electronic clinical summary of health information can be encrypted, maintained and updated on smart card; can be read and written to at the provider offices’ point of care; patient can use smart card to access data through authorized kiosks, patient portals or printer devices
15. Exchange key clinical information among providers of care and patient-authorized entities electronically (e.g., health information exchanges) Smart card technology can be used to interface with patient portals and health information exchanges and can provide, for example, a health information exchange portal between hospitals and physician offices. The smart card can also hold a detailed medical summary which can be read from the card.
16. Privacy and security: Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities Smart card technology and smart card-based systems can implement the highest level of encryption, user authentication, privacy measures, and auditability. All exchanges of non-protected as well as protected health information (PHI) data can be encrypted during storage, transport or exchange. Network layer security and encryption can be configured end-to-end, route-to-route, or edge-to-edge. Smart cards can support PKI certificates and biometrics and follow robust security standards (ISO, NIST).

Summary

Smart card technology can augment existing EMR/EHR systems to provide the critical functionality necessary to achieve meaningful use, as well as to address important security and privacy gaps that could compromise the future use and utility of emerging regional and national health information networks. Next month’s Smart Card Talk article will discuss how smart cards assist in fulfilling the specific security requirements of meaningful use.

References and Notes

[1] Medicare and Medicaid Programs: Electronic Health Record Incentive Program; Final Rule, Dept. of Health and Human Services, July 28, 2010

[2] Breaches Affecting 500 or More Individuals, Dept. of Health and Human Services web site. As required by section 13402(e)(4) of the HITECH Act, the Secretary must post a list of breaches of unsecured protected health information affecting 500 or more individuals. The following breach has been reported to the Secretary: Keystone/AmeriHealth Mercy Health Plans, PA, Individuals Affected–285,691, Date: 9/20/10, Portable Electronic Device (Flash Drive).

[3] The Smart Set, Newsweek, February 17, 2010

[4] HIMSS Analytics Database web site

[5] Certification Programs, Dept. of Health and Human Services Health IT web site

[6] Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology; Final Rule, Dept. of Health and Human Services, Federal Register Notice 45 CFR Part 170, July 28, 2010

[7] See Federal Register / Vol. 75, No. 144, Page 44597. “Certified EHR Technology means: (1) A Complete EHR that meets the requirements included in the definition of a Qualified EHR and has been tested and certified in accordance with the certification program established by the National Coordinator as having met all applicable certification criteria adopted by the Secretary; or (2) A combination of EHR Modules in which each constituent EHR Module of the combination has been tested and certified in accordance with the certification program established by the National Coordinator as having met all applicable certification criteria adopted by the Secretary, and the resultant combination also meets the requirements included in the definition of a Qualified EHR.”

[8] The Certified HIT Product List (CHPL) provides the authoritative, comprehensive listing of complete EHRs and EHR modules that have been tested and certified under the Temporary Certification Program maintained by the Office of the National Coordinator for Health IT (ONC).

[9] In all examples, smart cards are mobile with the patient/provider and can have the ability to be decrypted and read by emergency first responders.

About this Article

This article is an extract from the Healthcare Council white paper, Getting to Meaningful Use and Beyond: How Smart Card Technology Can Support Meaningful Use of Electronic Health Records. The white paper outlines the ways in which smart card-based systems can better position healthcare organizations and providers for meaningful use of electronic health records, while addressing many of the security and privacy challenges that come with electronic health records and health data exchange.

Council members involved in the development of this white paper included: CSC; Gemalto; Giesecke & Devrient; IBM; IDmachines; LifeMed ID, Inc.; MasterCard Worldwide; Mount Sinai Medical Center; Northrop Grumman Corporation; Oberthur Technologies; OTI America; SCM Microsystems; XTec, Inc.

About the Healthcare Council

The Healthcare Council is one of several Smart Card Alliance Technology and Industry Councils, a new type of focused group within the overall structure of the Alliance. These councils have been created to foster increased industry collaboration within a particular industry or market segment and produce tangible results, speeding smart card adoption and industry growth.

The Smart Card Alliance Healthcare Council brings together payers, providers, and technologists to promote the adoption of smart cards in U.S. healthcare organizations. The Healthcare Council provides a forum where all stakeholders can collaborate to educate the market on the how smart cards can be used and to work on issues inhibiting the industry.

The Secure Technology Alliance is Hiring

X