Safeguarding Health Information: Building Assurance through HIPAA Security Purpose

Safeguarding Health Information: Building Assurance through HIPAA Security
Excerpted on Sept 3, 2012 from NIST HIPAA Security Conference


hipaa logoThe National Institute of Standards and Technology (NIST) and the Department of Health and Human Services (HHS), Office for Civil Rights (OCR) co-hosted the 5th annual conference Safeguarding Health Information: Building Assurance through HIPAA Security on June 6 & 7, 2012 at the Ronald Reagan Building and International Trade Center in Washington, D.C.

The conference explored the current health information technology security landscape and the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. This event highlighted the present state of health information security, and practical strategies, tips and techniques for implementing the HIPAA Security Rule. The Security Rule set federal standards to protect the confidentiality, integrity and availability of electronic protected health information by requiring HIPAA covered entities and their business associates to implement and maintain administrative, physical and technical safeguards.

The conference offered important keynote addresses and plenary sessions as well as breakout sessions following two learning tracks around specific areas of security management and technical assurance. Presentations covered a variety of current topics including updates on HHS health information privacy and security initiatives, OCR's enforcement of health information privacy and security activities, integrating security safeguards into health IT, safeguards to secure mobile devices, removing sensitive data from the Internet, and more.

A single registration fee granted access to all presentations on-site and through a live Webcast. Video of the event is available at:

A live Twitter Chat was conducted using the hashtag #HIPAASecurity.

Lunch and refreshments were served on-site.


Conference Agenda – Final Agenda dated 5/29/2012

Presentations can be viewed from the NIST Computer Security Division's website known as Computer Security Resource Center (CSRC).

Presentations – 2012 HIPAA
Excerpted on Sept 3, 2012 from (updated: Wed., June 6 @ 10:27am EST.)

NOTE: All presentations posted are in PDF format. Also note, when you click on the link to a presentation, the presentation will open up in a new browser window and this page will still be open in the background.

Wednesday, June 6 (Day 1):

9:00-9:15 Welcome and Logistics
David Holtzman, OCR and Kevin Stine, NIST

9:15-9:30 Leadership Remarks
Matt Scholl, Deputy Chief, Computer Security Division, NIST

9:30-10:15 Risk Management Framework: Privacy Controls
Dr. Ron Ross, NIST

10:30-11:15 Beyond HIPAA: The FTC Privacy Report
Cora Tung Han, FTC

11:15-12:15 Establishing an Access Auditing Program
Cindy Matson, Sanford Health System

1:15-2:00 View From the Cloud: Security Assurance Considerations for a Purchaser
Mac McMillan, HIMSS; and Vince Campitelli, Cloud Security Alliance

2:00-2:45 HHS/ONC Overview
Joy Pritts, Chief Privacy Officer, Office of the National Coordinator

3:00-4:00 (Breakout A-1 Session) Security of Mobile Devices
Lisa Gallagher, HIMSS

3:00-4:00 (Breakout B-1 Session) Security of Health Information When Maximizing Accessibility and Usability
Matt Quinn, NIST, and David Baquis, US Accessibility Board

4:05-4:50 (Breakout A-2 Session) ONC Mobile Device Project
David Shepherd, LMI

4:05-4:50 (Breakout B-2 Session) Integrity Protections
Dan Rode, AHIMA

Thursday, June 7 (Day 2):

9:00-9:30 The Convergence of Privacy and Security in Protecting Health Information
Leon Rodriguez, Director, OCR

9:30-10:30 OCR Audit Program
Linda Sanches, OCR

10:45-11:45 HIPAA Security Rule Toolkit Use Case
Sue Miller, WEDI Security and Privacy Workgroup; Jim Sheldon-Dean, Lewis Creek Systems, LLC and Sherry Wilson, Jopari Solutions

1:00-2:00 Federal Data Breach Response of Health and Consumer Protected Information
David Holtzman, OCR, and Alain Sheer, FTC

2:00-3:00 Data Breach Strikes
Gerard Stegmaier, Wilson, Sonsini, Goodrich & Rosati; and Paul Luehr Stroz Friedberg

3:15-4:00 Security Testing and Assessment Methodologies
Karen Scarfone, Scarfone Cybersecurity; and Richard Metzer, D.Sc. CISSP, Lockheed Martin

4:00-4:45 Meaningful Use Crosswalk to the Security Rule
Adam Greene, Davis Wright Tremaine LLP


ONC Fact Sheet: Regional Extension Centers

ONC Fact Sheet: Get the Facts about Regional Extension Centers
Published on ONC site 12/3/2010

Improving the nation’s health care through health information technology (health IT) is a major initiative for the U.S. Department of Health and Human Services (HHS). The Office of the National Coordinator for Health Information Technology (ONC), the Centers for Medicare & Medicaid Services (CMS), the Office for Civil Rights (OCR), and other HHS agencies are working together to assist health care providers with the adoption and meaningful use of electronic health records.

ONC has funded 62 Regional Extension Centers (RECs, pronounced R-E-Cs) to help more than 100,000 primary care providers meaningfully use electronic health records (EHRs). Eligible providers who adopt and meaningfully use EHRs may receive incentive payments through the Medicare and Medicaid EHR Incentive Programs. Providers do not have to become technology experts to achieve meaningful use of EHRs; RECs will provide them with on-the-ground assistance.

REC services include outreach and education, EHR support (e.g., working with vendors, helping choose a certified EHR system), and technical assistance in implementing health IT and using it in a meaningful way to improve care.

RECs have received $677 million for the next two years to support their work.

About the RECs
RECs represent a range of organizations that serve local communities throughout the country. 

The RECs’ focus is to provide on-the-ground assistance for:

  • Individual and small practices, including primary care providers, physicians, physician assistants, and nurse practitioners
  • Medical practices lacking resources to implement and maintain EHRs
  • Those who provide primary care services in public and critical access hospitals, community health centers, and other settings that mostly serve those who lack adequate coverage or medical care

About the Health Information Technology Research Center
The Health Information Technology Research Center (HITRC) has been funded with a $50 million grant.  The HITRC will assist the RECs in collaborating with one another and with other stakeholders to identify and share best practices for supporting health care providers in adopting and meaningfully using EHRs.

For More Information About:

Download Get the facts about RECs [PDF - 255 KB]

Fact Sheet: Chartered Value Exchanges: Local Collaboratives Driving Health Care Reform

Fact Sheet on Community Quality Collaboratives from AHRQ
Excerpted from Agency for Healthcare Research and Quality (AHRQ) on 12/12/2010

Community quality collaboratives are community-based organizations of multiple stakeholders, including health care providers, purchasers (employers, employer coalitions, Medicaid and others), health plans, and consumer advocacy organizations, that are working together to transform health care at the local level. The Agency for Healthcare Research and Quality offers these organizations many tools to assist in their efforts.


Community quality collaboratives are key drivers of health care reform at the local level. These collaboratives, including 24 Chartered Value Exchanges, are implementing a bold vision for health care reform built on four cornerstones. are built on four cornerstones. These cornerstones are:

  • Measuring and publishing quality information to enable consumers to make better decisions about their care.
  • Measuring and publishing price information to give consumers information they need to make decisions on purchasing health care.
  • Promoting quality and efficiency of care.
  • Adopting interoperable health information technology.

AHRQ offers a compendium of tools and resources for other community quality collaboratives who want to follow paths similar to Community Leaders and Chartered Value Exchanges.

Tools for Collaborative Leadership and Sustainability

Sustainability Toolkit for Community Quality Collaboratives: An Overview of the Art & Science of Building Staying Power
Tools to help collaboratives build, maintain, and refine an infrastructure that supports and advances the mission of the organization as market and stakeholder expectations change

Go to: (PDF File, 150 KB; PDF Help)

Multi-stakeholder Community Inventory Modules
Tools to assess strengths and goals of Community Quality Collaboratives along 8 areas: collaborative leadership, public at-large engagement, quality and efficiency measurement, public reporting, provider incentives, consumer incentives, strategy for improving quality, health information technology/health information exchange.

Go to: (PDF File, 407 KB; PDF Help)

Regional Coalition Collaboration Guide
Assists community leaders in creating and sustaining a regional coalition based on lessons and tips from six pilot quality initiatives

Go to:

Tools to Engage Consumers

The Community Quality Collaborative Leader’s Guide to Engaging Consumer Advocates
Guide for including consumer advocates in Community Quality Collaboratives

Go to: (PDF File, 175 KB; PDF Help)

AHRQ Publications for Consumers
Easy-to-understand publications for health care consumers

Go to:

Tools on Measures, Data, and Reports on Quality and Efficiency

Selecting Quality and Resource Use Measures: A Decision Guide for Community Quality Collaboratives
Tool to help community-based organizations striving to improve the quality of health care in their communities select quality of care and resource use measures.

Go to: (PDF File, 777 KB; PDF Help)

Consumer Assessment of Healthcare Providers and Systems (CAHPS®)
Public-private initiative to develop standardized surveys of patients’ experiences with ambulatory and facility-level care

Go to:

Online query system that provides access to health statistics and information on hospital inpatient utilization and quality—at the national and state levels—and thereby can inform local quality agenda…

Go to:

National Healthcare Quality Report and National Healthcare Disparities Report
Annual, comprehensive overviews of the state of quality and disparities in health care in the United States

Go to:

AHRQ Preventable Hospitalization Costs, a County-Level Mapping Tool
Downloadable software that can be used with administrative data on hospital admissions to assess the number and cost of “preventable admissions” in State or communities.

Go to:

Identifying, Categorizing, and Evaluating Health Care Efficiency Measures
Rand report that identifies, analyzes, and classifies current definitions of efficiency, lays out a roadmap to help illuminate discussions, and identifies next steps.

Go to:

AHRQ Quality Indicators
Downloadable software that can be used with hospital administrative data to
assess quality of care. Software includes four modules: inpatient quality indicators; patient safety quality indicators; prevention quality indicators; and pediatric quality indicators.

Go to:

Tools for Public Reporting

Best Practices in Public Reporting
The purpose of the Best Practices in Public Reporting series is to provide practical approaches to designing public reports that make health care performance information clear, meaningful, and usable by consumers.

Go to:

  1. How To Effectively Present Health Care Performance Data To Consumers
  2. Maximizing Consumer Understanding of Public Comparative Quality Reports: Effective Use of Explanatory Information
  3. How to Maximize Public Awareness and Use of Comparative Quality Reports Through Effective Promotion and Dissemination Strategies

Health Care Report Card Compendium
Searchable directory of over 200 sample report cards that show formats and approaches for providing comparative information on the quality of health plans, hospitals, medical groups, individual physicians, nursing homes, and other providers of care.

Go to:

Model Public Report Elements: A Sampler
An illustrative menu of public report elements from health care provider performance reports from around the country.

Go to:

Quality Indicators Draft Model Reports
Model reports designed to report comparative information on hospital performance based on the AHRQ Quality Indicators

Go to:

Talking to Consumers about Health Care Quality
Site designed for people and organizations trying to educate consumers about health care quality

Go to:

Tools on Incentives for Quality

Pay for Performance: A Decision Guide for Purchasers
An evidence summary organized around 20 questions that span four phases of purchaser decisionmaking: contemplation, design, implementation, and evaluation.

Go to:

Decision Guide on Consumer Financial Incentives
An evidence summary organized around 21 questions that span incentive design and implementation decisions identified by user-stakeholders. It reviews the application of incentives to five types of consumer decisions: selecting a high value provider, selecting a high value health plan, deciding among treatment options, reducing health risks by seeking preventive care, and reducing health risks by decreasing or eliminating high-risk behavior.

Go to:

Tools to Improve Preventive Services

U.S. Preventive Services Task Force
Expert recommendations for clinical preventive services

Go to:

A Purchaser’s Guide to Clinical Preventive Services: Moving Science into Coverage
Information source for employers on clinical preventive service benefit design Exit Disclaimer

Current as of September 2010

Texas brings to Nine, No. of Strategic & Operational Plans Approved by ONC; Six of which ONC has posted

Plans Approved for California, Delaware, Maine, Maryland, New Mexico, South Carolina, Tennessee, Texas, and Utah
Versions of eight of nine state plans are publicly available.
See December 8, 2010 updated list with Nebraska and Michigan on e-Healthcare Marketing.
These plans and dates were excerpted on December 1, 2010 from Office of National Coordinator (ONC) for Health IT’s “State HIE Toolkit.” These are from section called “Planning Examples & Case Studies.”

“The State HIE Toolkit is a compilation of resources provided under the auspices of the State HIE Program sponsored by the Office of the National Coordinator for Health IT (ONC).”

Examples of ONC approved Strategic and Operational Plans:

  1. New Mexico Strategic and Operational Plan V2 (update posted 5/18/10) 
  2. Utah Strategic and Operational Plan (posted 5/18/10)
  3. Maryland Strategic and Operational Plan (posted 6/10/10)
  4. Tennessee Gap Analysis and Strategic and Operational Plans (posted 10/1/10) New!
  5. South Carolina Strategic and Operational Plans (posted 10/5/10) New!
  6. Texas Strategic and Operational Plan (posted 12/1/10)

States/SDEs with Approved Strategic and Operational Plans
Updated 12/1/10
Both California and Maine plans, while not yet posted by ONC, have been previously posted on e-Healthcare Marketing. (See link at bottom of this post.) Still need to ascertain if the California and Maine plans posted on e-Healthcare Marketing are final approved plans.

State Date Approved Date Posted Documents
California 6/16/2010 Will be posted soon  
Delaware 5/17/2010 Will be posted soon  
Maine 8/16/10 Will be posted soon  
Maryland 5/14/10 6/10/10

   S&O Plan

New Mexico 1/25/10 5/18/10

S&O Plan V2

South Carolina 8/30/10 10/5/10

Strategic Plan

Operational Plan

Tennessee 9/17/10 10/1/10

Strategic Plan

Operational Plan

Gap Analysis

Utah 5/12/10 5/18/10

S&O Plan

Texas 11/3/10 12/1/10

S&O Plan

See e-Healthcare Marketing post for 31 State Health Information Exchange Plans, last updated on November 21, 2010. The Nov 21 update still needs to be reviewed and revised based on plan revisions not yet captured in that post.

NHIN Governance: Learn to Speak NHIN on Nov 4 & Have Your Say Too!

1. National eHealth Collaborative (NeHC) Presents
NHIN 202:  NHIN Governance Authorities
2. FACA Blog Seeks Governance Feedback Nov 3

NHIN 202:
Thur, Nov 4, 2010, 3:00pm to 4:00pm

Excerpted/summarized from National eHealth Collaborative on 11/1/2010.
You will learn about the initial recommendations of the Health IT Policy Committee’s Governance Workgroup and the process of turning them into rules. ONC and Advisory Committee/Workgroup leaders will serve as faculty and will respond to your feedback.


  • Mary Jo Deering, PhD – Senior Policy Advisor, Office of Policy and Planning, Office of the National Coordinator for Health IT (ONC)
  • John Lumpkin – Chair, Health IT Policy Committee Governance Workgroup; Senior VP and Director, Robert Wood Johnson Foundation
  • Michael Matthews – Chair, NHIN Exchange Coordinating Committee; Member, Health IT Policy Committee Governance Workgroup; CEO, MedVirginia


  • Aaron Seib – Interim CEO and NHIN Program Director, National eHealth Collaborative

PHASE 1 Recommendations of Workgroup from FACA Blog Post 
Or see FACA Blog post reposted below.
WEBINAR: Click here

AUDIOCONFERENCE: (866) 699-3239 or (408) 792-6300
(Please join the event with a computer system first and follow the audio instructions on the screen.)

ACCESS/EVENT CODE: 665 557 547

ATTENDEE ID: You will receive this number when you join the event first with a computer connection.

National eHealth Collaborative Relationship with NHIN
“The Nationwide Health Information Network (NHIN) is a collection of standards, specifications and policies that enable the secure exchange of health information over the internet. Today, a group of federal and private entities known as the NHIN Exchange have implemented those standards, specifications and policies as one operational model for exchanging health information nationwide. As part of this model, those entities established a committee structure to administer and support their operational approach.

“Through its cooperative agreement with ONC, NeHC is supporting that committee structure, and supports ONC’s efforts to disseminate information about the work of these committees to interested parties and the broader stakeholder community.”

Federal Advisory Committee Blog Post:
Feedback Requested by Nov 3
Governance Workgroup Seeks Comments
on Roles and Responsibilities for Governance

Monday, October 25th, 2010 | Posted by: John Lumpkin on FACA Blog and reposted here by e-Healthcare Marketing. 

The Governance Workgroup (Workgroup) is developing recommendations on governance mechanisms for the nationwide health information network.  The Workgroup identified overarching objectives, key principles and core functions for governance in its Preliminary Report and Recommendations on the Scope of Governance [PDF – 94 KB] presented to the HIT Policy Committee on October 20th.  The Workgroup is now preparing final recommendations on how governance functions should be implemented and by whom.  As a first step, the Workgroup would like to identify existing mechanisms that might be appropriate, with or without modifications, and with or without some added coordination; and whether new mechanisms are needed, and if so, which?  The Workgroup would like public input on these issues and has created a table listing the core functions and questions to frame the input.  The table is available at here [DOC – 81 KB]. A short version of the table is presented below, for your comments.  If you prefer, you can download and complete the table and email it to Please put “Governance Workgroup Recommendations” in the Subject Line.

We would appreciate receiving comments as soon as possible and no later than November 3.

Recommended Governance Functions include:

(For more details, see the Recommendations report [PDF – 94 KB] presented to the HIT Policy Committee)

I. Establish policies for privacy, security, interoperability and to promote adoption of the NW-HIN.

a. Privacy and Security

b.  Interoperability, Eligibility Criteria and Compliance Expectations

c.  Address gaps; coordinate stakeholder input

d. Coordinate with technical and validation bodies

II. Establish technical requirements to assure policy and technical interoperability.

a. Adopt requirements

b. Coordinate with policy setting body

c. Change and transition process

d. Recognize or authorize shared technical services

III. Establishing appropriate mechanisms to assure compliance, accountability and enforcement.

a. Determine eligibility

b. Evaluate compliance

c. Assure accountability

d. Enforce

IV. Oversight of the governance mechanisms.

a. Track issues

b. Monitor ongoing compliance

c. Assess risks and benefits to prevent harm

d. Evaluate effectiveness

e. Resolve disputes

While all comments are welcome, we would specifically like input on these questions for each of the four recommended governance functions listed above:

  1. What existing entity or process could be leveraged NW-HIN governance? How does it function?
  2. What is the jurisdiction for its functions and under what authority does it operate?
  3. What level of formality is used (e.g. self-regulated, state regulated)?
  4. Can it scale to satisfy NW-HIN needs (w/ or w/out changes)?
  5. Does it satisfy NW-HIN governance objectives (w/ or w/out) changes?  If yes, provide rationale.
  6. Are additional mechanisms or processes necessary? Why?

Thank you,
John Lumpkin, MD, MPD, Chair, Governance Workgroup
To comment directly, go to the FACA Blog post.

NJHIMSS joins National Health IT Advocacy Day in Washington

Bus journey from New Jersey starts early morning at NJHA, Princeton: June 17, 2010

NJHIMSS ready to board bus,

NJHIMSS members pose before bus journey to Washingon DC.


NJHIMSS Members start boarding bus for DC.

Starting the day’s journey to Capitol Hill in early morning, June 17, 2010, members boarded a bus at NJHA in Princeton. Stopping in Cherry Hill to pick up additional HIMSS members, the bus sped (within speed limits) to Washington, DC.

 Lunching at Top of the Hill Reserve Officers Association, near the nation’s Capitol, the New Jersey chapter welcomed guests from the Hill, and listened to updates on New Jersey initiatives in Health IT.

Bill O'Bryne

Bill O'Bryne, Exec Director, NJ HITEC

Bill O’Byrne, the new executive director of NJ-HITEC, New Jersey’s Regional Extension Center, spoke about the challenges facing the center in bringing 5,000 New Jersey physicians and other clinicians on to meaningful use of Electronic Health Records.

The night before, O’Byrne received HIMSS State Official of the Year award, one of only three presented this year, for his work supporting Healthcare IT initiatives in New Jersey.

Additional pictures on BluePrint Healthcare IT’s Community section–click ere.

HHS Awards $83.9 Mil ARRA to Expand Use of Health IT at HCCNs

HHS Awards $83.9 Million in Recovery Act Funds to
Expand Use of Health Information Technology at
Health Center Controlled Networks (HCCNs)
Thursday, June 3, 2010         
Received via email                           

HHS Secretary Kathleen Sebelius today (June 3, 2010) announced $83.9 million in grants to help networks of health centers adopt electronic health records (EHR) and other health information technology (HIT) systems. The funds are part of the $2 billion allotted to HHS’ Health Resources and Services Administration (HRSA) under the American Recovery and Reinvestment Act of 2009 to expand health care services to low-income and uninsured individuals through its health center program. 

“We need health information technology to bring our health care system into the 21st century,” said Sebelius. “This essential technology improves the quality of care we all receive and helps make care more efficient.”

Forty-five grants will support new and enhanced EHR implementation projects as well as HIT innovation projects.  Funds will allow grantees to use EHR technology to improve health care quality, efficiency, and patient safety.  Eligible professionals practicing within health centers who are able to demonstrate meaningful use of certified EHR technology may be eligible for incentive payments provided under Medicaid and Medicare. 

“These funds will help safety net providers acquire state-of-the-art health information technology systems as they work to provide quality health care to millions of people in need,” said HRSA Administrator Mary Wakefield, Ph.D., R.N. 

Health Center Controlled Networks (HCCNs) improve the operational effectiveness and clinical quality in health centers by providing management, financial, technology and clinical support services. The networks, comprised of at least three collaborating organizations, are community-based groups that support HRSA-funded health centers that provide primary health care to nearly 19 million patients – a number expected to double over the next five years as health reform is implemented.

The grants listed below were awarded through a competitive process:

ARRA – Health Information Technology Implementation Grants
Organization City State Amount
Whatley Health Services, Inc Tuscaloosa Alabama $645,875
Alaska Primary Care Association, Inc. Anchorage Alaska $567,891
Dena’ Nena’ Henash – Tanana Chiefs Conference Fairbanks Alaska $1,000,000
El Rio Santa Cruz Neighborhood Health Center Tucson Arizona $1,000,000
Golden Valley Health Center Merced California $2,998,013
Association of Asian/Pacific Community Health Organizations Oakland California $1,000,000
Redwood Community Health Network Petaluma California $2,079,598
Family Health Centers of San Diego, Inc San Diego California $3,000,000
Community Access HCCN, LLC San Francisco California $2,519,875
Community Health Center Network San Leandro California $3,000,000
Alliance For Rural Community Health Ukiah California $866,031
Clinicas del Camino Real, Inc Ventura California $3,000,000
Colorado Community Managed Care Network Denver Colorado $1,000,000
Southbridge Med. Advisory Council, Inc. Wilmington Delaware $558,114
Health Choice Network, Inc. Miami Florida $2,990,887
Community Health Centers Alliance, Inc. Saint Petersburg Florida $3,000,000
Erie Family Health Center, Inc Chicago Illinois $999,998
Near North Health Service Corporation Chicago Illinois $2,998,849
Illinois Primary Care Association Springfield Illinois $3,000,000
Community Health Integrated Partnership, Inc. Glen Burnie Maryland $2,912,404
Boston HealthNet Boston Massachusetts $2,986,872
Northern Minnesota Network Isanti Minnesota $2,452,568
Coastal Family Health Center, Inc. Biloxi Minnesota $2,987,714
Missouri Coalition for Primary Health Care Jefferson City Missouri $1,000,000
St. Louis Integrated Health Network St. Louis Missouri $1,000,000
One World Community Health Centers Omaha Nebraska $1,511,083
Community Health Access Network, Inc. Newmarket New Hampshire $1,106,358
Southern Jersey Family Medical Centers, Inc. Hammonton New Jersey $3,000,000
New Mexico Primary Care Association Albuquerque New Mexico $2,011,000
Charles B. Wang Community Health Center, Inc. New York New York $994,800
Community Health Care Association of New York State New York New York $2,999,983
The Institute for Family Health New York New York $825,709
Finger Lakes Migrant Health Care Project, Inc. Penn Yan New York $997,832
OCHIN Inc. Portland Oregon $3,000,000
Health Federation of Philadelphia Philadelphia Pennsylvania $327,169
East Bay Community Action Program Newport Rhode Island $1,574,074
Community Health Network Oakdale Tenn. $2,110,936
Texas Association of Community Health Center Austin Texas $982,587
Lone Star Circle of Care Georgetown Texas $2,987,610
Barrio Comprehensive Family Health Care Center, Inc. San Antonio Texas $2,909,072
Wasatch Homeless Health Care, Inc. Salt Lake City Utah $585,000
Southwest Virginia Community Health Systems, Inc. Saltville Virginia $1,826,240
Bi-State Primary Care Association Montpelier Vermont $2,226,278
PTSO of Washington Seattle Washington $1,361,093
Wisconsin Primary Health Care Association Madison Wisconsin $1,000,000
Total: $83,901,513


The activities described in this release are being funded through the American Recovery and Reinvestment Act (ARRA). More information on ARRA funding for health information technology can be found at:

The Health Resources and Services Administration is part of the U. S. Department of Health and Human Services.  HRSA is the primary federal agency responsible for improving access to health care services for people who are uninsured, isolated, or medically vulnerable.  For more information about HRSA and its programs, visit

 Note: All HHS press releases, fact sheets and other press materials are available at

Add’l $30.3 Mil to Fund Two New Beacon Health IT Communities

ONC to Add 16th and 17th Beacon Health IT Communities
Excerpted from ONC Beacon Communities Page
“The Beacon Community Cooperative Agreement Program provides communities with funding to build and strengthen their health information technology (health IT) infrastructure and exchange capabilities. These communities will demonstrate the vision of a future where hospitals, clinicians, and patients are meaningful users of health IT, and together the community achieves measurable improvements in health care quality, safety, efficiency, and population health.

“In May 2010, ONC made awards to 15 Beacon Communities. An additional $30.3 million is currently available to fund additional Beacon Community cooperative agreement awards. An announcement to apply was made on May 26, 2010.

“Beacon Communities will generate and disseminate evidence and insights that are applicable to the rest of the nation about the use of health IT resources to inform a range of specific clinical, care delivery, and other reforms that, together, can enable communities to achieve measurable and sustainable improvements in health care cost, quality, and population health. The Beacon Community Program will include $250 million in awards to 17 communities with an additional $15 million for technical assistance to help these communities succeed and to evaluate what works.”

Learn more about the Beacon Community Cooperative Agreement Program:

Beyond Meaningful Use: Learning Health System, a Theme of Listening Session

Beyond Meaningful Use: Listening Session Looks Ahead to The Learning Health System
The April 6, 2010 listening session (audio link below) for the draft framework for the Health IT Strategic Plan pointed to a concept more far reaching than meaningful use: the Learning Health System. One of the four themes proposed by the Health IT Committee Strategic Plan Workgroup, the  Learning Health System, is based on the charter of  the Institute of Medicine’s Roundtable on Evidence-Based Medicine, since renamed the Roundtable on Value & Science-Driven Health Care.

One of the transformational concepts underlying the learning system moves the physician beyond reliance on their solo expertise toward working in collaboration with the patient, other clinicians, and continuously updated  data resources and scientific evidence to improve patient care.

“A learning health system” according to a slide from the listening session citing the Institute of Medicine, ”is a system that is designed to generate and apply the best evidence for the collaborative health care choices of each patient and provider; to drive the process of new discovery as a natural outgrowth of patient care; and to ensure innovation, quality, safety, and value in health care.”

The prior week, the Roundtable sponsored its latest Workshop,  April 1-2, 2010, in Washington, DC, which was  titled “The Learning Healthcare System in 2010 and Beyond: Understanding, engaging, and communicating the possibilities.” The Roundtable, in describing its work, says it develops meetings and projects with leaders from a range of healthcare sectors to achieve “its goal that by 2020, ninety percent of clinical decisions will be supported by accurate timely, and up-to-date clinical information, and will reflect the best available evidence.”

ONC’s Health IT Strategic Framework:
The Learning Health System
The following section on the Learning Health System, one of four themes, is excerpted from the pre-decisional draft of the ONC’s Health IT Strategic Framework that was discussed at the April 6 listening session of the HIT Policy Committee Strategic Plan Workgroup.
PDF version of draft Framework

Theme 4: Learning Health System 

a. Goal:
Transform the current health care delivery system into a high performance learning system by leveraging health information and technology. 

 b. Principles |
          1. Health information should be used to facilitate rapid learning and innovation in diagnosis, treatment, and decision making to improve health outcomes and to enhance health system value. 

          2. HIT should help engage patients and providers to take active roles in creation and application of evidence-based care.  

c. Objectives 
1. Use HIT methodologies, policies and standards to foster creation of knowledge across a large network of distributed data sources, while protecting privacy and confidentiality. 

          2. Engage public and private sectors stakeholders at the national, regional, and local levels to effectively leverage data and human resources to advance care delivery, alignment of payment with outcomes, research (e.g., clinical research, comparative effectiveness research), public health (e.g., drug safety monitoring, outbreak surveillance), education (e.g., K-12, colleges, professional schools, professional lifelong learning) and social services to promote and maintain community health. 

           3. Support individuals decision on making their data be used for society (e.g., research and public health), while protecting their privacy. 

          4. Leverage data from populations to expand knowledge and promote scientific discoveries that advance the understanding of health, disease, and treatments. 

d. Strategies 
1. Continuously evaluate successes and lessons learned through HIT adoption, and actively incorporate best practices into the HIT programs and services. 

                              Provide mechanisms to assess and continuously improve EHR safety. Explore and develop EHR safety measures and reporting mechanisms as learning processes to improve the safety of EHRs. 

           2. Reward, showcase, and leverage industry best practices and innovative uses of HIT to create an active community learning system that supports advances in health promotion and treatment of diseases in the US. Make knowledge and technology accessible to health care professionals and consumers. 

          3. Engage all levels of the public and private sectors, along with the international community, in coordinated activities to advance population health (public health, biomedical research, quality improvement, and emergency preparedness) by using common policies, standards, protocols, legal agreements, specifications, and services for data sharing and building knowledge. 

          4. Stimulate and support innovations in care delivery, performance measurements, genomics, and comparative effectiveness through HIT. 

                             Support research and development activities to overcome obstacles that impede creation of learning systems.  

           5. Incorporate the global health dimension into the interoperability requirements of the learning system infrastructure.  

           6. Harmonize the meaningful-use requirements with the dual needs of population health (clinical research, comparative effectiveness, public health) and a learning system. 

          7. Through a comprehensive education and communications campaign, promote a shared vision of a learning health system and the role of HIT in helping to create it. 

                         Develop and implement educational material and tools to improve consumers’ health and HIT literacy and to promote self management and self efficacy using HIT. 

                        Communicate with professional societies and boards to identify opportunities for meaningful use activities to contribute to professional education programs. 

Additional Resources:
See earlier post from e-Healthcare Marketing on Listening Session on Strategic Framework.

Materials and audio from April 6, 2010 Listening Session.

Meeting Materials

IOM April 1-2, 2010 Roundtable: “The Learning Healthcare System in 2010 and Beyond: Understanding, engaging, and communicating the possibilities”

Use the tool below to view free online published version of 2006 IOM Workshop on the Learning Health System.

Q&A: Electronic Prescriptions for Controlled Substances

Q&A: Electronic Prescriptions for Controlled Substances
Drug Enforcement Administration (DEA), U.S. Department of Justice
Per Office of National Coordinator (ONC) for Health IT Regulations & Guidance page, “DEA’s rule, “Electronic Prescriptions for Controlled Substances” revises DEA’s regulation to provide practitioners with the option of writing prescriptions for controlled substances electronically.  The regulations will also permit pharmacies to receive, dispense, and archive these electronic prescriptions.  DEA’s discussions with the Office of the National Coordinator for Health Information Technology (ONC), Centers for Medicare and Medicaid Services (CMS), and Agency for Healthcare Research and Quality (AHRQ) were instrumental in the development of this rule.  DEA also worked closely with the National Institute of Standards and Technology (NIST) and the General Services Administration (GSA).”  

General Questions and Answers
[As of 03/31/2010]

DEA Office of Diversion Control

These Questions and Answers were excerpted from DEA’s Office of Diversion Control Web site on April  8, 2010.
The questions and answers below are intended to summarize and provide general information regarding the Drug Enforcement Administration (DEA) Interim Final Rule with Request for Comment “Electronic Prescriptions for Controlled Substances” (75 FR 16236, March 31, 2010) [Docket No. DEA-218, RIN 1117-AA61].  The information provided is not intended to provide specific information about every aspect of the rule, nor is it a substitute for the regulations themselves.  

Q.  What is DEA’s rule “Electronic Prescriptions for Controlled Substances?”

A.  DEA’s rule, “Electronic Prescriptions for Controlled Substances” revises DEA’s regulations to provide practitioners with the option of writing prescriptions for controlled substances electronically.  The regulations will also permit pharmacies to receive, dispense, and archive these electronic prescriptions.  The rule was published in the Federal Register Wednesday, March 31, 2010 and becomes effective on June 1, 2010. 

Q.  Is the use of electronic prescriptions for controlled substances mandatory?    

A.  No, the new regulations do not mandate that practitioners prescribe controlled substances using only electronic prescriptions.  Nor do they require pharmacies to accept electronic prescriptions for controlled substances for dispensing.  Whether a practitioner or pharmacy uses electronic prescriptions for controlled substances is voluntary from DEA’s perspective.  Prescribing practitioners are still able to write, and manually sign, prescriptions for schedule II, III, IV, and V controlled substances and pharmacies are still able to dispense controlled substances based on those written prescriptions.  Oral prescriptions remain valid for schedule III, IV, and V controlled substances.   

Q.  Did DEA consider public comment in the development of this rule?    

A.  DEA considered almost two hundred separate comments received from the public to the “Electronic Prescriptions for Controlled Substances” Notice of Proposed Rulemaking (73 FR 36722, June 27, 2008) in the development of this rule.   

Q.  Did DEA work with other Federal agencies in the development of this rule?   

A.  DEA worked closely with a number of components within the Department of Health and Human Services.  DEA’s discussions with the Office of the National Coordinator for Health Information Technology (ONC), Centers for Medicare and Medicaid Services (CMS), and Agency for Healthcare Research and Quality (AHRQ) were instrumental in the development of this rule.  DEA also worked closely with the National Institute of Standards and Technology and the General Services Administration.   

Q.  When can a practitioner start issuing electronic prescriptions for controlled substances?

A.  A practitioner will be able to issue electronic controlled substance prescriptions only when the electronic prescription or electronic health record (EHR) application the practitioner is using complies with the requirements in the interim final rule.    

Q.  When can a pharmacy start processing electronic prescriptions for controlled substances?   

A.  A pharmacy will be able to process electronic controlled substance prescriptions only when the pharmacy application the pharmacy is using complies with the requirements in the interim final rule.    

Q.  How will a practitioner or pharmacy be able to determine that an application complies with DEA’s rule?    

A.  The application provider must either hire a qualified third party to audit the application or have the application reviewed and certified by an approved certification body.  The auditor or certification body will issue a report that states whether the application complies with DEA’s requirements and whether there are any limitations on its use for controlled substance prescriptions.  (A limited set of prescriptions require information that may need revision of the basic prescription standard before they can be reliably accommodated.)  The application provider must provide a copy of the report to practitioners or pharmacies to allow them to determine whether the application is compliant.   

Q.  As a practitioner, until I have received an audit/certification report from my application provider indicating that the application meets DEA’s requirements, how can I use my electronic prescription application or EHR application to write controlled substances prescriptions?   

A.  Nothing in this rule prevents a practitioner or a practitioner’s agent from using an existing electronic prescription or EHR application that does not comply with the interim final rule to prepare and print a controlled substance prescription, so that EHR and other electronic prescribing functionality may be used.  Until the application is compliant with the final rule, however, the practitioner will have to print the prescription for manual signature.  Such prescriptions are paper prescriptions and subject to the existing requirements for paper prescriptions.   

Q.  As a pharmacy, until I have received an audit/certification report from my application provider indicating that the application meets DEA’s requirements, how can I use my pharmacy application to process controlled substances prescriptions?   

A.  A pharmacy cannot process electronic prescriptions for controlled substances until its pharmacy application provider obtains a third party audit or certification review that determines that the application complies with DEA’s requirements and the application provider provides the audit/certification report to the pharmacy.  The pharmacy may continue to use its pharmacy application to store and process information from paper or oral controlled substances prescriptions it receives, but the paper records must be retained.   

Q.  Is identity proofing of individual prescribing practitioners still required and who will conduct it?    

A.  Identity proofing is still required.  It is critical to the security of electronic prescribing of controlled substances that authentication credentials used to sign controlled substances prescriptions are issued only to individuals whose identity has been confirmed.  Individual practitioners will be required to apply to certain Federally approved credential service providers (CSPs) or certification authorities (CAs) to obtain their two-factor authentication credential or digital certificates.  The CSP or CA will be required to conduct identity proofing that meets National Institute of Standards and Technology Special Publication 800-63-1 Assurance Level 3.  Both in person and remote identity proofing will be acceptable.  Institutional practitioners will have the option to conduct in-person identity proofing in-house as part of their routine credentialing process.   

Q.  What two-factor credentials will be acceptable?    

A.  Under the interim final rule, DEA is allowing the use of two of the following – something you know (a knowledge factor), something you have (a hard token stored separately from the computer being accessed), and something you are (biometric information).  The hard token, if used, must be a cryptographic device or a one-time-password device that meets Federal Information Processing Standard 140-2 Security Level 1.   

Q.  How will the two-factor credential be used?    

A.  The practitioner will use the two-factor credential to sign the prescription; that is, using the two-factor credential will constitute the legal signature of the DEA-registered prescribing practitioner.  When the credential is used, the application must digitally sign and archive at least the DEA-required information contained in the prescription.  Because the record will be digitally signed and archived at that point, the proposed requirement for a lock-out period is not needed and is not part of the interim final rule.   

Q.  May a practitioner use his own digital certificate to sign an electronic controlled substance prescription?    

A.  Yes, the interim final rule allows any practitioner to use his own digital certificate to sign electronic prescriptions for controlled substances.  If the practitioner and his application provider wish to do so, the two-factor authentication credential can be a digital certificate specific to the practitioner that the practitioner obtains from a Certification Authority that is cross-certified with the Federal Bridge Certification Authority at the basic assurance level.   

Q.  Must a practitioner separately attest to each prescription?    

A.  No, the application must include, on the prescription review screen, a statement that the use of the two-factor credential is the legal equivalent of a signature, but no keystroke is required to acknowledge the statement.   

Q.  Is it permissible to have a staff person in the practitioner’s office complete all of the required information for a controlled substance prescription and then have the practitioner sign and authorize the transmission of the prescription?    

A.  Yes, however, if an agent of the practitioner enters information at the practitioner’s direction prior to the practitioner reviewing and approving the information, the practitioner is responsible in the event the prescription does not conform in all essential respects to the law and regulations.   

Q.  Can a practitioner print a copy of any electronic prescriptions for controlled substances?   

A.  Yes, the electronic prescription application may print copies of the transmitted prescription(s) if they are clearly labeled: “Copy only – not valid for dispensing.”  Data on the prescription may be electronically transferred to medical records, and a list of prescriptions transmitted may be printed for patients if the list indicates that it is for informational purposes only and not for dispensing.  The copies must be printed after transmission.  If an electronic prescription is printed prior to attempted transmission, the electronic prescription application must not allow it to be transmitted.    

Q.  Will a practitioner be allowed to simultaneously issue multiple prescriptions for multiple patients with a single signature?    

A.  A practitioner is not permitted to issue prescriptions for multiple patients with a single signature.  However, a practitioner is allowed to sign multiple prescriptions for a single patient at one time.  Each controlled substance prescription will have to be indicated as ready for signing, but a single execution of the two-factor authentication protocol can then sign all prescriptions for a given patient that the practitioner has indicated as being ready to be signed.   

Q.  Once an electronic controlled substance prescription is signed, must it be transmitted to the pharmacy immediately?    

A.  No, signing and transmitting an electronic controlled substance prescription are two distinct actions.  Electronic prescriptions for controlled substances should be transmitted as soon as possible after signing, however, it is understood that practitioners may prefer to sign prescriptions before office staff add pharmacy or insurance information, therefore, DEA is not requiring that transmission of the prescription occur simultaneously with signing the prescription.   

Q.  If transmission of an electronic prescription fails, may the intermediary convert the electronic prescription to another form (e.g. facsimile) for transmission?   

A.  No, an electronic prescription must be transmitted from the practitioner to the pharmacy in its electronic form.  If an intermediary cannot complete a transmission of a controlled substance prescription, the intermediary must notify the practitioner.  Under such circumstances, if the prescription is for a schedule III, IV, or V controlled substance, the practitioner can print the prescription, manually sign it, and fax the prescription directly to the pharmacy.  This prescription must indicate that it was originally transmitted to, and provide the name of, a specific pharmacy, the date and time of transmission, and the fact that the electronic transmission failed.   

Q.  What are the restrictions regarding alteration of a prescription during transmission?    

A.  The (DEA-required) contents of a prescription shall not be altered during transmission between the practitioner and pharmacy.  However, this requirement only applies to the content (not the electronic format used to transmit the prescription).  This requirement applies to actions by intermediaries.  It does not apply to changes that occur after receipt at the pharmacy.  Changes made by the pharmacy are governed by the same laws and regulations that apply to paper prescriptions.   

Q.  Are electronic prescription records required to be backed-up, and if so, how often.   

A.  Yes, pharmacy application service providers must back up files daily.  Also, although it is not required, DEA recommends as a best practice that pharmacies store their back-up copies at another location to prevent the loss of the records in the event of natural disasters, fires, or system failures.   

Q.  What should a pharmacist do if he receives a paper or oral prescription that was originally transmitted electronically to the pharmacy?    

A.  The pharmacist must check the pharmacy records to ensure that the electronic version was not received and the prescription dispensed.  If both prescriptions were received, the pharmacist must mark one as void.   

Q.  What should a pharmacist do if he receives a paper or oral prescription that indicates that it was originally transmitted electronically to another pharmacy?    

A.  The pharmacist must check with the other pharmacy to determine whether the prescription was received and dispensed.  If the pharmacy that received the original electronic prescription had not dispensed the prescription, that pharmacy must mark the electronic version as void or canceled.  If the pharmacy that received the original electronic prescription dispensed the prescription, the pharmacy with the paper version must not dispense the paper prescription and must mark the prescription as void.   

Q.  What are the DEA requirements regarding the storage of electronic prescription records?    

A.  Once a prescription is created electronically, all records of the prescription must be retained electronically.  As is the case with paper prescription records, electronic controlled substance prescription records must be kept for a minimum period of two years.    

Q.  Who can conduct an audit or certify an application?

A.  Application providers must obtain a third-party audit or certification to certify that each electronic prescription and pharmacy application to be used to sign, transmit, or process controlled substances prescriptions is in compliance with DEA regulations pertaining to electronic prescriptions for controlled substances.  The application may undergo a WebTrust, SysTrust, or SAS 70 audit conducted by a person qualified to conduct such an audit. The application may undergo an audit conducted by a Certified Information System Auditor who performs compliance audits as a regular ongoing business activity. The application may have a certification organization whose certification has been approved by DEA verify and certify that the application meets DEA’s requirements.   

Q.  When must a third-party audit or certification be conducted?    

A.  The third-party audit or certification must be conducted before the electronic prescription application is used to sign or transmit electronic prescriptions for controlled substances, or before the pharmacy application is used to process electronic prescriptions for controlled substances, respectively.  Thereafter, a third-party audit or certification must be conducted whenever a functionality related to controlled substance prescription requirements is altered or every two years, whichever occurs first.   

Q.  To whom does the third-party audit/certification requirement apply?   

A.  The requirement for a third-party audit applies to the application provider, not to the individual practitioner, institutional practitioner, or pharmacy that uses the application.  Unless an individual practitioner, institutional practitioner, or pharmacy has developed its own application, the practitioner or pharmacy is not subject to the requirement.   

See related post on March 25, 2010 on e-Healthcare Marketing.