December 6, 2021: Healthcare can’t move forward without regulatory guidelines. Health IT leaders need to be in the know. Mari Savickis, Vice President, Public Policy at CHIME joins us today to discuss interoperability, de-identified data, 21st Century Cures, HIPAA, National Patient Identifier and cybersecurity. Plus the year that was in Washington, DC. HIPAA is so antiquated, but we adhere to it like it’s the 10 Commandments. Is there any movement towards redoing it? Language prohibiting the HHS from developing a patient identification standard was removed from the House Labor bill for the 1st time in the Senate. And the FTC clarified their Health Breach Notification rule to include third-party applications that collect consumer’s health information under privacy protections.
00:00:00 - Intro
00:25:00 - CHIME public policy launched the InfoBlockingCenter.org in 2021. A convenient site to find free resources, FAQs, articles, archived webinars, and cheat sheets to prepare you for compliance.
00:27:00 - All sectors are facing cybersecurity staffing shortages
00:27:30- 3 out of 4 hospitals operate without a designated security leader
00:31:30 - Cyber insurance has gone up by almost 50%
Questions or comments? Please reach out to [email protected]
This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.Bill Russell: [:ad high tech in place back in:ay. My name is Bill Russell. [:
Special thanks to Sirius Healthcare, Health Lyrics and World Wide Technology who are our Newsday show sponsors for investing in our mission to develop the next generation of health IT leaders.eek in Health IT. Starting in:
We're excited about where the community will take this channel. The Academy is about training. It's about training the next generation of health leaders. Here's where we're going to be launching our new show. It's called Insights and the show will actually take highlights from our last five years and break them into 10 minute episodes for your team and perhaps people who are new to health IT to come up to speed.to right now will become our [:this weekhealth.com/shows - [:
All right. It's news day. And today we're joined by Mari Savickis with CHIME Public Policy. And we are going to look at the year that was in Washington, DC with regard to Health IT.
And we're going to look at the year that's coming up. We're also going to touch on some cybersecurity stuff as well. They just did a really cool survey and we're going to share some of the findings from that as well. Mari, welcome. Welcome to the show.
Mari Savickis: Thank you Bill for having me back.Bill Russell: [:of it and then I'll chime in [:
Mari Savickis: Sure. For those of you have tuned in before and heard our our conversation, cyber is the name of the game over here.
And so, at the top of the year, January 6th, it seems like a distant memory, right? Almost a year ago. President Trump actually it was Trump and was over the last bill that he signed before leaving off at signed a bill into law that is really something we've been working on for years. The way that it works in DC is it's a lot of rolling boulders up the mountain kind of thing.quickly. And so it was years [:e. And the intensity of them [:'ve had a lot of interest in [:
And what's great about the practices is that they are designed for not just big well-funded providers. You're also designed for the smaller, medium, and you don't have to do everything in one day. Right. Kind of thing. It's it's a journey,
Bill Russell: It almost has to be designed for the smaller players because when you look at the breaches over the last years, Some of those small players, it's the Sky Lakes Medical Center.s not the large players that [:
And so this kind of relief you know, is targeted to help them around the audits and compliance as long as you're following best practices, but it's also designed to get them money. Isn't it?
Mari Savickis: That's exactly right. I mean, I think there was a widespread acknowledgement that the smaller intellectual resource providers are exactly just that left for resource.t even have even a part-time [:
And some, I just had a conversation with someone this morning who represents rural health care providers and one of their members was hit and I think it was, it was rural Michigan. I guess they thought, well, why wouldn't anybody want me to do it that? So I was like, oh, they actually want everything to do with you.in. So it's trying to bring [:at. I'll send it to you. But [:
Bill Russell: I think part of that is the complexity, right? So you're talking about that. The 405D resources, ISAC and other things. There's a bunch of resources for us to pull together. If you were talking to a CIO what are the one-stop shops?nd really understand things? [:
Mari Savickis: It is overwhelming. And so what I would say is that that's why you join a professional association. So if you're a member of CHIME or a has, that's a good place to start. If you're not a member of ours and hopefully you're a member of another organization, who's keeping tabs on us for you. We have, and I can share with you Bill, we have a list of free resources that the government has. We've compiled this together into a neat little cheat sheet.d then again, worst case, if [:
Right. You're just going to tell me, this is not for me to make the handoff to the proper officials. And then we step out of it. So, the worst case isyou're having trouble to getting response that, you can let us know. One of the top things that's recommended by the government is that you get to know your local FBI office.n't done that and that's one [:
And so you should establish a relationship with them. That's just one, one step you can do.
Bill Russell: You know, we're going to come back to cybersecurity, but obviously we have patient ID. We have interoperability, we have a bunch of things. So let's sit on patient ID.o this is another monumental [:entifying, for patients, for [:
And so that piece has been removed and there's a prohibition in Congress right now. Again, it's a law that says HHS can find anything related to establishing a standard for a patient that identifies them. That's why there's no number or or solution or framework that HHS is adopted. So there's that.he house of representatives. [:gh in the entire fiscal year,:So we celebrate the [:
It's going to happen. I don't think that necessarilty, I mean, I want to be optimistic, but I have to be a realist too. But, we're getting closer. Every day is a little bit closer. Anybody wants to join our coalition you can join our coalition and it's free also. To help us get the ban removed.lked to you, I feel like I'm [:
All of this is about it's about funding, the research, right? So we're not trying to solve the problem of, okay we have this many undocumented immigrants in Southern California. Roughly six to 8% of the people that presented in one of our hospitals were undocumented. Because essentially they weren't Kaiser patients.[:That's highly controversial [:
And then in the end, maybe something's illegal they might not want to get a number. I mean, I think we, you don't want to let perfect be the enemy of the good that you do have to keep your eye on these populations who may be under starved. So we do think it needs to be able to be able to touch everyone.want some nights reading at [:
I think tha t some of the concerns are rooted in the government having control over people's data. But I mean, some of these arguments are somewhat antiquated and you and I have talked about this before. We're giving away a lot of data anyway. And so to think that it's not actually already out there and there's actually bumpers. The government can't just do what they want to do with personal data.There's the privacy act of:k we should paint the people [:
What about this group? What about, there's a lot of challenges to it that. just, just the it needs to be it to see the light of day in terms of a debate. And I think that's what we're pushing for here. Right? Let's get it on the Senate floor. Let's have the debate. Let's have the conversation, let's put it to a vote and, and make it part of the public consciousness.done, well. It can also have [:
Now we're starting to have the conversation on the Senate floor and making progress, but this is the kind of thing, people are thinking, oh, this is close to the finish line. It could be an administration or, or potentially two away from actually getting across the finish line, depending on what happens next. We just never know.Mari Savickis: I forgot [:me, if you invite me back for:
Bill Russell: Oh, you'll be invited back. Don't don't worry about that.
Mari Savickis: Naughty or nice. Make sure I don't get a lump of coal in my stocking.
Bill Russell: Yeah, no, you'll probably get a, like a dish for Elon Musk's new internet service so that we can have a better connection next year. I'm sorry.
Mari Savickis: I'll just fly to Florida. We can just do it in person. Somehow if I can navigate the travel..the Vive conference? Is that [:ight. Just help me say, just [:
Or I just want to understand like what it is you're asking me to do. I mean said another way is they don't like ambiguity. We want bright yellow lines. We want to know what fit are you being held to so on and so forth. And so there's a long history of HIPAA compliance. And so, it's not perfect. I think you could probably argue either side.onal privacy bill, there are [:o know everyone where you're [:
And so I think that's something that's going to have to be ruffled to the ground. I'm not sure that I have, I'm sure I don't have the answer, but it's tough. Right. So I'm not even sure that some of these other bills that try to like go a bit further are going to involve all of the calls. Like.Bill Russell: [:
I'll stay there, but we've had people on the show and we've talked about like six other areas that really could use some just basic touch-up, but others like a rethinking, because this things. This thing's getting up there in age and technology is changing so rapidly. De-identified data is pretty interesting.e in Florida and if they get [:ta. That's the de-identified [:
If I want my data in that repository, I guess if I'm not even sure if it's covered with this, but I could opt out of the record sharing, but that was more for the health information exchange, but I think it's being applied to this to this new venture. And by the way, they spin up this thing.s venture, and it's now it's [:ve often said that the house [:
Mari Savickis: Is this data Bill. Is this de-identify are we still on the topic of de-identified?
Bill Russell: Yup. We are. We are Yes. It is de-identified you're right.k, I mean, correct me if I'm [:our consent, there's a whole [:
Like, for example, a placenta, right? I didn't know that they could just do something with that. I didn't know that. And so I think this comes to the larger conversation, I guess maybe I'm going to put my consumer hat on and take my time out of ops to be careful here. Just transparency, right? I mean, you just want to be transparent about what you're doing.nting deals with big tech is [:
Bill Russell: Yeah. And, and, I'm not calling out healthcare here cause all my Google data is being used for making money for advertising, that kind of stuff.ial, say, I, I would love to [:
Mari Savickis: It's happening but I think Congress has been fairly distracted this year. They're still this distracted, right? They have a lot of stuff to do before the end of the year. I don't even have many business days are left for them, but there's not that many. They're dealing with the government shutdown tomorrow. They're still dealing with build back better. Dealing with the national defense authorization act.fore you get to privacy. And [:They're the ones that govern [:
They think it's one person that's really like, there's a downstream effect here. So we just have to take it in bite size pieces. I don't think we're going to solve everything tomorrow.o, there's definitely a win. [:d high tech in place, back in:
So that's the good news, right? I mean, can you imagine having a pandemic 10 years ago, it would've been a disaster. So we're a lot closer than we were, but it's still not correct. And one of the things you know, just go back to the HIPAA stuff for a moment that we need for interoperability is consent. That is not ironed out nicely.ork in progress. Now back to [:
Well, I don't think that that's true and I'm not alone in my thinking. So increasingly I think you're going to hear more about that. So the deadlines too are rapidly approaching like within a year. Does everybody have a Firebase server? I don't know. I don't think so. Somebody should probably, probably will be off.what the permeation rate is, [:answers. But we'll tell you [:
Bill Russell: Yeah. One stop shop infoblocking center.org. What am I going to find there?
Mari Savickis: You're going to find, like for example eight exceptions information blocking. Super complicated. The privacy one is like, I think the most, one of the most complicated.
Bill Russell: So your team has broken it down and done those things. You guys are also doing a lot of online content and that kind of stuff. You develop those cheat sheets, which I love. It really is fantastic. So your team is yourself. Who else is on your team?Savickis: So we have Andrew [:
Bill Russell: Actually I do peruse that that newsletter every week. It's really helpful just to know what's going on and to stay ahead of the curve. I really appreciate all this stuff that your team is doing. We'll have to have Cassie on. Because we had, we've had Andrew on it at some point, but we have not had Cassie on. Get her in front of the mic and find out what's going on from her perspective.
Mari Savickis: Yeah, absolutely. We're happy to bring the team on next year, that would be, that'd be fabulous. They are both amazing.ll: The last thing I want to [:
Actually to, just to tee it up, we we were talking about a story. Attracting retaining healthcare CISOs. Maybe it's not a money problem, and this is an SC Media. Jessica Davis wrote this article. She says all sectors are facing cybersecurity staffing shortages with the latest data, showing that the US cybersecurity workforce needs to increase by 65% to protect critical infrastructure.But for [:the pandemic many hospitals [:scenario. And the total does [:% open [:ow if you did it per se, but [:
Mari Savickis: It was basically with AHA our affiliate organization comprises of those. It's yeah, it's our survey. And we plead with them to fill this out because we really need to know where we need to push and pull in DC. I mean, you hit on all of the, the challenge, the workforce itself is a big challenge.really wearing like a super [:
And maybe, maybe their salary, isn't the only factor. They really feel very invested in getting up and doing the right thing, which is what I've found. I mean, in a lot of places you can work, but working for patients is really a calling. So, I mean, there, there are shortages and I think that's something we have to work on together.d Fend. She's now again, And [:
Bill Russell: Yep. so it did go out to a CISOs within healthcare. Here's some of the findings 67% of respondents indicated they had a security incident in the last 12 months. That meshes with my anecdotal conversations that I've had. 45% were unaware of free best practices from 405D only 52% are members of ISAC and 80% of respondents indicated the cost of cyber insurance had increased over the past year.I [:her level of compliance, but [:ersecurity and anything like [:same amount of coverage. And [:
You don't want to have a situation where you're scared of the POC. And just doing something to do something. So, yeah, we've heard a lot about that. And Congress is aware of it and there's been a geo report on it too. So this is like an issue.or federal assistance about [:
Maybe, maybe not you. It's information you put in people's hands who are going to be in those meetings I would imagine.avickis: The report has nice [:
We're pursuing that, especially for underserved providers. TBD on whether we'll get that some level of support with the regional, like something like a regional extension center that kind of help boots on the ground when you need help. A closer relationship, I mentioned at the top of the call with federal authorities are saying that they feel like they need.And a clear understanding [:es that they had. There were [:
Bill Russell: Yeah, absolutely. All right. I want to give you the final word here. What, what can we expect from Congress and the hill next year? You know, what big events do you expect that we're going to make progress on next year?
Mari Savickis: Oh, this pandemic man.
Bill Russell: Yeah I know. And we're going through a new variant right now. I mean, that could start off things pretty good.hoping that especially with [:
Bill Russell: Does it get renewed by a vote of the house or how does it get renewed?e Xray viscera was confirmed [:PAG until at least the end of:Now, when our [:ergency comes off any time in:
I don't think there's any appetite for this administration or for this HHS secretary to pull it off. It's actually a way to fund a bunch of things without getting funding. Right. So, so I think it's, I think it's just going to continue.the team on and we can talk [:
A little bit more gaps, whether it's interoperability or telehealth or patient ID or privacy. I would say another thing our teams are focused on, which we haven't talked about on this call, but we can talk about next time is the care continuum. It's not just for patients, I would just go to hospital. They don't go to a doctor's office.
They go somewhere else. Especially Medicare patients or those with chronic conditions. So that's something we're paying attention to and try to make sure that interoperability spreads across the entire sector. And that they're, well-supportedon the show this year. It's [:efinitely catch up after the [:
Mari Savickis: That sounds great Bill. Thanks so much. Appreciate it.Stitcher. You name it. We're [: