Episode 469: Transcript - December 6, 2021

This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

Mari Savickis: The pandemic has been a massive distraction. I like to look on the bright side. Is that had we not had high tech in place back in 2009 we wouldn't even be where we are today had that level of adoptions permeated hospital and clinicians. We'd be in a whole different world of hurt. So that's the good news, right? Can you imagine having a pandemic 10 years ago, it would've been a disaster.

Special thanks to Sirius Healthcare, Health Lyrics and World Wide Technology who are our Newsday show sponsors for investing in our mission to develop the next generation of health IT leaders.

We're excited about where the community will take this channel. The Academy is about training. It's about training the next generation of health leaders. Here's where we're going to be launching our new show. It's called Insights and the show will actually take highlights from our last five years and break them into 10 minute episodes for your team and perhaps people who are new to health IT to come up to speed.

And we will be augmenting that with Solution Showcases and briefing campaigns that introduce exciting solutions in more detail. For more information on our other channels and where you can subscribe visit us at this weekhealth.com/shows - [00:02:30] S H O W S. Now onto the show.

All right. It's news day. And today we're joined by Mari Savickis with CHIME Public Policy. And we are going to look at the year that was in Washington, DC with regard to Health IT.

And we're going to look at the year that's coming up. We're also going to touch on some cybersecurity stuff as well. They just did a really cool survey and we're going to share some of the findings from that as well. Mari, welcome. Welcome to the show.

Mari Savickis: Thank you Bill for having me back.

We've talked about this before, but a lot of accomplishments from the public policy side. So give us a little taste of it and then I'll chime in [00:03:30] with some questions about them.

Mari Savickis: Sure. For those of you have tuned in before and heard our our conversation, cyber is the name of the game over here.

And so, at the top of the year, January 6th, it seems like a distant memory, right? Almost a year ago. President Trump actually it was Trump and was over the last bill that he signed before leaving off at signed a bill into law that is really something we've been working on for years. The way that it works in DC is it's a lot of rolling boulders up the mountain kind of thing.

Getting relief for providers in the form of of this law, which is gonna give HSS authority to pop in some of the. And the intensity of them [00:04:30] and the fines that go along with them. Again, if you are a provider who follows best practices for at least a year, and those best practices are include the ones that have been co-developed by HSS in the industry lovingly known as 405 ER hiccups.

And what's great about the practices is that they are designed for not just big well-funded providers. You're also designed for the smaller, medium, and you don't have to do everything in one day. Right. Kind of thing. It's it's a journey,

Bill Russell: It almost has to be designed for the smaller players because when you look at the breaches over the last years, Some of those small players, it's the Sky Lakes Medical Center.

And so this kind of relief you know, is targeted to help them around the audits and compliance as long as you're following best practices, but it's also designed to get them money. Isn't it?

Mari Savickis: That's exactly right. I mean, I think there was a widespread acknowledgement that the smaller intellectual resource providers are exactly just that left for resource.

And some, I just had a conversation with someone this morning who represents rural health care providers and one of their members was hit and I think it was, it was rural Michigan. I guess they thought, well, why wouldn't anybody want me to do it that? So I was like, oh, they actually want everything to do with you.

And it's very collaborative in nature cause we all are in this together. So that was the one thing. And actually just yesterday, HHS launched a website on 405D. It sounds like, oh, kind of Monday and no, no, no everything is one-stop shopping now. We're really excited about this. In fact we're sending a memo about that. I'll send it to you. But [00:07:00] this is good. This is great news. So you can just, again, we just need to drive more attention to it so that folks know that this is a set of tools that actually was developed by your peers and can be used by you. There's still a lower awareness of it.

Bill Russell: I think part of that is the complexity, right? So you're talking about that. The 405D resources, ISAC and other things. There's a bunch of resources for us to pull together. If you were talking to a CIO what are the one-stop shops?

Mari Savickis: It is overwhelming. And so what I would say is that that's why you join a professional association. So if you're a member of CHIME or a has, that's a good place to start. If you're not a member of ours and hopefully you're a member of another organization, who's keeping tabs on us for you. We have, and I can share with you Bill, we have a list of free resources that the government has. We've compiled this together into a neat little cheat sheet.

Right. You're just going to tell me, this is not for me to make the handoff to the proper officials. And then we step out of it. So, the worst case isyou're having trouble to getting response that, you can let us know. One of the top things that's recommended by the government is that you get to know your local FBI office.

And so you should establish a relationship with them. That's just one, one step you can do.

Bill Russell: You know, we're going to come back to cybersecurity, but obviously we have patient ID. We have interoperability, we have a bunch of things. So let's sit on patient ID.

You have to create identifiers for providers. Standards that is. Standards. I want to just reemphasize, it doesn't have to be a number, but standards for identifying clinician for identifying, for patients, for [00:09:30] a health plan. And the thing is like the to provide the patient pieces in there are controversial.

And so that piece has been removed and there's a prohibition in Congress right now. Again, it's a law that says HHS can find anything related to establishing a standard for a patient that identifies them. That's why there's no number or or solution or framework that HHS is adopted. So there's that.

And so there's no funding bill fully through in the entire fiscal year, 2022. So right now we're looking at a CR hopefully not a shutdown. They're trying to work that all out right now. So what that means is like things just kind of continue status quo that needs a language they'll say then like, you have to live to fight another day.

It's going to happen. I don't think that necessarilty, I mean, I want to be optimistic, but I have to be a realist too. But, we're getting closer. Every day is a little bit closer. Anybody wants to join our coalition you can join our coalition and it's free also. To help us get the ban removed.

All of this is about it's about funding, the research, right? So we're not trying to solve the problem of, okay we have this many undocumented immigrants in Southern California. Roughly six to 8% of the people that presented in one of our hospitals were undocumented. Because essentially they weren't Kaiser patients.

Mari Savickis: There, I mean, certainly there are these per second use cases like children like immigrants, right? Somebody maybe is homeless. This is a problem that needs to be solved. And, I mean, yeah, we could potentially assign a number. That's highly controversial [00:12:00] and it doesn't have to be a number.

And then in the end, maybe something's illegal they might not want to get a number. I mean, I think we, you don't want to let perfect be the enemy of the good that you do have to keep your eye on these populations who may be under starved. So we do think it needs to be able to be able to touch everyone.

I think tha t some of the concerns are rooted in the government having control over people's data. But I mean, some of these arguments are somewhat antiquated and you and I have talked about this before. We're giving away a lot of data anyway. And so to think that it's not actually already out there and there's actually bumpers. The government can't just do what they want to do with personal data.

Bill Russell: Yeah. I mean, the conversation we've had is I just don't think we should paint the people [00:13:30] who aren't jumping up and down about patient ID as Luddites. They're. They're not necessarily Luddites. They're looking at it and saying, okay, what about privacy?

What about this group? What about, there's a lot of challenges to it that. just, just the it needs to be it to see the light of day in terms of a debate. And I think that's what we're pushing for here. Right? Let's get it on the Senate floor. Let's have the debate. Let's have the conversation, let's put it to a vote and, and make it part of the public consciousness.

Now we're starting to have the conversation on the Senate floor and making progress, but this is the kind of thing, people are thinking, oh, this is close to the finish line. It could be an administration or, or potentially two away from actually getting across the finish line, depending on what happens next. We just never know.

So we're very anxious about this and I'm sure maybe the next time, if you invite me back for 2022, we can talk about [00:15:00] the report if it's out by then.

Bill Russell: Oh, you'll be invited back. Don't don't worry about that.

Mari Savickis: Naughty or nice. Make sure I don't get a lump of coal in my stocking.

Bill Russell: Yeah, no, you'll probably get a, like a dish for Elon Musk's new internet service so that we can have a better connection next year. I'm sorry.

Mari Savickis: I'll just fly to Florida. We can just do it in person. Somehow if I can navigate the travel..

Mari Savickis: I could talk about privacy all day long, like one of my favorite topics, so, okay. Is HIPAA antiquated? Probably. Right. Is there anything better right now? No. Not So much, not in this country. There's also a long history of compliance with HIPAA. And so you have this, well, let me just say, let me back up for a second, providers, if they like nothing else they want ceretainty. Right. Just help me say, just [00:16:30] tell me what I have to do.

Or I just want to understand like what it is you're asking me to do. I mean said another way is they don't like ambiguity. We want bright yellow lines. We want to know what fit are you being held to so on and so forth. And so there's a long history of HIPAA compliance. And so, it's not perfect. I think you could probably argue either side.

So, what you're asking me to like is HIPAA antiquated. Well, and when it comes to de-identification of data, all you need to deal location tracking, and you can identify someone with pretty darn good certainty about who they are. So once you add that in and pretty much that's your cell phone number one. Okay. So they're going to know everyone where you're [00:17:30] going. Cause there's only one person going to Bill Russell's house who does exactly what you do every single day. Right. So in that respect, that is antiquated. But if you look at some of these bills, they have like de-identified data as carve outs.

And so I think that's something that's going to have to be ruffled to the ground. I'm not sure that I have, I'm sure I don't have the answer, but it's tough. Right. So I'm not even sure that some of these other bills that try to like go a bit further are going to involve all of the calls. Like.

I'll stay there, but we've had people on the show and we've talked about like six other areas that really could use some just basic touch-up, but others like a rethinking, because this things. This thing's getting up there in age and technology is changing so rapidly. De-identified data is pretty interesting.

So some aspect of that is going to be in the de-identified data. And that the thing I've talked about is we have, we have this new thing that's being launched. A lot of health systems have gotten on board and they're all putting in their patient data. That's the de-identified [00:19:00] data and I've identified at least two health systems that I have visited that have put my data into this repository without ever asking me.

If I want my data in that repository, I guess if I'm not even sure if it's covered with this, but I could opt out of the record sharing, but that was more for the health information exchange, but I think it's being applied to this to this new venture. And by the way, they spin up this thing.

And I just think there's it's time for another conversation around. Maybe not patient who owns the, who owns the data, because I've often said that the house [00:20:00] of someones the data, they created the record, I just want joint custody. So if you stand up this new thing with with all these health systems and put this stuff in there, I want to be able to tap into it somehow. For my record. I don't want everybody else's record just for my record.

Mari Savickis: Is this data Bill. Is this de-identify are we still on the topic of de-identified?

Bill Russell: Yup. We are. We are Yes. It is de-identified you're right.

But I, but I agree. I mean, I'll tell you this, I learned the hard way that everyone who knows him, I know his TPO operations, right? The always a little bit of a slush bucket of soft. And, when you sign away your consent, there's a whole [00:21:00] bunch of stuff in there that they, that you know, that the providers can take.

Like, for example, a placenta, right? I didn't know that they could just do something with that. I didn't know that. And so I think this comes to the larger conversation, I guess maybe I'm going to put my consumer hat on and take my time out of ops to be careful here. Just transparency, right? I mean, you just want to be transparent about what you're doing.

Bill Russell: Yeah. And, and, I'm not calling out healthcare here cause all my Google data is being used for making money for advertising, that kind of stuff.

Mari Savickis: It's happening but I think Congress has been fairly distracted this year. They're still this distracted, right? They have a lot of stuff to do before the end of the year. I don't even have many business days are left for them, but there's not that many. They're dealing with the government shutdown tomorrow. They're still dealing with build back better. Dealing with the national defense authorization act.

They're the ones that govern [00:23:00] third party apps and data that's how is the non HIPPA covered entities? They said, Hey guys, we're going to start looking at these third party apps more. And the privacy terms and conditions, which is really a victory for consumers, for the patient term consumer, who is giving their data away to maybe they don't really know.

They think it's one person that's really like, there's a downstream effect here. So we just have to take it in bite size pieces. I don't think we're going to solve everything tomorrow.

Mari Savickis: Oh yeah. I mean, yeah. I mean, I think we're moving along and obviously the pandemic has been a massive distraction. I mean, on the one hand again, looking, I like to look on the bright side, I'm a glass half full kind of person. Is that had we not had high tech in place, back in 2009. So we wouldn't even be where we are today had that level of adoptions, [00:24:00] permeated hospital and clinicians. We'd be in a whole different world of hurt.

So that's the good news, right? I mean, can you imagine having a pandemic 10 years ago, it would've been a disaster. So we're a lot closer than we were, but it's still not correct. And one of the things you know, just go back to the HIPAA stuff for a moment that we need for interoperability is consent. That is not ironed out nicely.

Well, I don't think that that's true and I'm not alone in my thinking. So increasingly I think you're going to hear more about that. So the deadlines too are rapidly approaching like within a year. Does everybody have a Firebase server? I don't know. I don't think so. Somebody should probably, probably will be off.

So you can go and take a look and see what resources you need. And if you have questions, you can start off to us and we'll try to answer it. I will say that, we're still waiting for answers for, from the questions in terms of implementation that we get from members from ONC. So not that we have all the answers. But we'll tell you [00:25:30] if we do or don't know.

Bill Russell: Yeah. One stop shop infoblocking center.org. What am I going to find there?

Mari Savickis: You're going to find, like for example eight exceptions information blocking. Super complicated. The privacy one is like, I think the most, one of the most complicated.

Bill Russell: So your team has broken it down and done those things. You guys are also doing a lot of online content and that kind of stuff. You develop those cheat sheets, which I love. It really is fantastic. So your team is yourself. Who else is on your team?

Bill Russell: Actually I do peruse that that newsletter every week. It's really helpful just to know what's going on and to stay ahead of the curve. I really appreciate all this stuff that your team is doing. We'll have to have Cassie on. Because we had, we've had Andrew on it at some point, but we have not had Cassie on. Get her in front of the mic and find out what's going on from her perspective.

Mari Savickis: Yeah, absolutely. We're happy to bring the team on next year, that would be, that'd be fabulous. They are both amazing.

Actually to, just to tee it up, we we were talking about a story. Attracting retaining healthcare CISOs. Maybe it's not a money problem, and this is an SC Media. Jessica Davis wrote this article. She says all sectors are facing cybersecurity staffing shortages with the latest data, showing that the US cybersecurity workforce needs to increase by 65% to protect critical infrastructure.

So I see that. Those roles are then handed to IT or compliance officers. From an outside perspective the reasons for these shortages would seem related to budget constraints. After more than a year of battling the pandemic many hospitals [00:28:00] and health systems are operating with fewer staff overall and facing staggering financial challenges, data from the aha estimates that the net financial impact and collective losses tied to COVID-19 hospitalizations from March to June of 2020, which was the worst period of time.

It's interesting to me. There is a shortage in cybersecurity for sure. There's actually a growing staffing problem in health IT just in general. We've, we've had almost a war start for talent and people are being hired away from other health systems and those kinds of things. And I'm hearing some shortages as much as 15% open [00:29:00] positions at certain health systems.

Mari Savickis: It was basically with AHA our affiliate organization comprises of those. It's yeah, it's our survey. And we plead with them to fill this out because we really need to know where we need to push and pull in DC. I mean, you hit on all of the, the challenge, the workforce itself is a big challenge.

And maybe, maybe their salary, isn't the only factor. They really feel very invested in getting up and doing the right thing, which is what I've found. I mean, in a lot of places you can work, but working for patients is really a calling. So, I mean, there, there are shortages and I think that's something we have to work on together.

Bill Russell: Yep. so it did go out to a CISOs within healthcare. Here's some of the findings 67% of respondents indicated they had a security incident in the last 12 months. That meshes with my anecdotal conversations that I've had. 45% were unaware of free best practices from 405D only 52% are members of ISAC and 80% of respondents indicated the cost of cyber insurance had increased over the past year.

And I guess that is part of the reason that insurance companies exist is to drive higher level of compliance, but [00:32:00] they're sort of looking at what they have to do. And they're like, well, if in order to do all these things, I have to go to the board and get a couple million dollars to all this work, just so we can get this insurance policy and be compliant with our insurance policy.

Mari Savickis: The cyber liability thing is a big deal. We heard lots of problems about that. I had one member who's i n an urban area who has sort of disadvantaged populations that she wasn't able to get the same policies you got last year. And then she had a hotline get a supplemental policy. And so it doesn't have the same amount of coverage. And [00:33:00] that the requirements are exhausted that you have to meet. And some of the feedback has been that not all of the requirements and most event are actually helpful, but I think there has to be some, I think we're we and others are starting to scrutinize like what exactly these requirements are.

You don't want to have a situation where you're scared of the POC. And just doing something to do something. So, yeah, we've heard a lot about that. And Congress is aware of it and there's been a geo report on it too. So this is like an issue.

Maybe, maybe not you. It's information you put in people's hands who are going to be in those meetings I would imagine.

We're pursuing that, especially for underserved providers. TBD on whether we'll get that some level of support with the regional, like something like a regional extension center that kind of help boots on the ground when you need help. A closer relationship, I mentioned at the top of the call with federal authorities are saying that they feel like they need.

Like the, there was a great w binar with the CISO from Vermont who they were down for like a month and he laid out all the challenges that they had. There were [00:35:00] some examples that he gave, like if he had to go back in time and fix things like, like the challenges of dropping back to paper, right? There's a lot of clinicians, if they're younger, don't know how to code on paper. So there's some things like your phone system, is it tied into like everything else ? You don't want single points of failure. There were so many, I can't remember them all. It was, but he was willing to go with, stick his neck out and talk about it. So that's the, we need more of is to understand and have a window [00:35:30] into what happened. But people are afraid to share infroamtion.

Bill Russell: Yeah, absolutely. All right. I want to give you the final word here. What, what can we expect from Congress and the hill next year? You know, what big events do you expect that we're going to make progress on next year?

Mari Savickis: Oh, this pandemic man.

Bill Russell: Yeah I know. And we're going through a new variant right now. I mean, that could start off things pretty good.

Bill Russell: Does it get renewed by a vote of the house or how does it get renewed?

We're not going to terminate the PAG until at least the end of 2021. And we would give you a 60 days notice. Well, obviously the pandemic is not over. And so I think, our best guess is that it will be renewed. Number one by HHS in January. Number two, that they may issue a similar like-minded letter that he did last year.

Bill Russell: Mari, there is absolutely no chance that the public health emergency comes off any time in 2022, that's a prediction. It's just my personal prediction. But [00:37:30] in January of last year, I said, there's no chance it's coming off in 2021. I don't think there's any chance it's coming off in 2022. Not because I think the pandemic is going to get worse or anything to that effect.

I don't think there's any appetite for this administration or for this HHS secretary to pull it off. It's actually a way to fund a bunch of things without getting funding. Right. So, so I think it's, I think it's just going to continue.

A little bit more gaps, whether it's interoperability or telehealth or patient ID or privacy. I would say another thing our teams are focused on, which we haven't talked about on this call, but we can talk about next time is the care continuum. It's not just for patients, I would just go to hospital. They don't go to a doctor's office.

They go somewhere else. Especially Medicare patients or those with chronic conditions. So that's something we're paying attention to and try to make sure that interoperability spreads across the entire sector. And that they're, well-supported

So will those always get, get kind of fun up there on the hill as well? So we'll see. We'll see what happens. Thanks again. Hope you have a great holiday and we will definitely catch up after the [00:39:00] first of the year.

Mari Savickis: That sounds great Bill. Thanks so much. Appreciate it.