The HIT Transition Weblog

Here's my official list of prognostications for 2008.  In 2006 and 2007, I didn't call them predictions, so I probably don't deserve any credit if anything I said came true.  If you agree -- or not -- you can give me your own scorecard by clicking here.  Give your feedback by January 23 and I'll post the results (and any interesting comments) in a blog at the end of the month. As far as we know, we're the only industry analysts that give you, our valued reader, this critical "You're Full of..." HIT response tool.

We hear our local weather made the BBC.  Yow.  A-yip-tye-o-ee-yay!

We took in a number of refugees, being the last house among our chosen family to have power.  Then the lights went out at about 4 pm yesterday.  The office is only a half-mile away, and there we have both lights and net, hence this post.

I want to reassure you that this meteorological Black Swan is not going to keep us from doing our webinar tomorrow.  Still, if you have an extra box of double-ought swan cartridges, we could use a little more ammunition.  A rick of seasoned firewood would be nice, too.

Meanwhile, yes, we are going to have something to say about Deborah Peel's attack on her local hospital for daring to store patient records electronically, and even more to say about the premature RHIO obituary that seems to have been published in Health Affairs.

Right now, we're kinda chillin'.

http://hittransition.com/flashpoint/ad_rta.htm

My inbox is hot as a hornet's tail, and there's two things that are making it blister.  The first is Medicare's "effective immediately" moratorium on granting additional providers or clearinghouses access to its eligibility data.  The second is this  story about the FBI's raid on WellCare Health Plans Tampa.

The eligibility moratorium was invoked for the explicit purpose of "security," according to my sources.  They not only want to know who's connecting to them, they want to know who's connecting to them.  People in the industry are worried about restraint of trade, if Medicare opts to limit the number of connectivity relationships, which are now wildly complex, often hopping between three or more entities between the provider and Medicare.

Do You Want to See My Etchings?
Details on the WellCare raid are sketchy.  We know that there were three agencies and a lot of agents involved (one report listed 200), and it was dramatic enough to cause about a 70% drop in their stock price before Wall Street halted trading on the issue altogether.

The Invisible Hand at Work
WellCare specializes in administering federal managed care plans for Medicare and Medicaid beneficiaries, competing against other companies trying to sell similar coverage to the same patients.  And they must be doing a good job, right?  Because they've grown into a $4B a year business doling out healthcare for those privatizing patriots back in DC.

Cold Cash
Of course, they did get into a little trouble recently when some, um, overzealous independent agents happened to enroll some beneficiaries who had, well, deceased prior to their enrollment.  In terms of quality outcomes, it's worth noting that 100% of those patients stayed dead under WellCare's management.

Put on Your Belts as I Shift into Hypothetical Drive
Now, if you were having a more significant lapse in regulatory compliance, and you wanted to outdistance your competitors in capturing those Medicare and Medicaid patients with promises of better/faster/cheaper care (as long as we're not talking about the taxpayer, at least), they you might be interested to know all the beneficiaries of a particular program in your area.  You know, the kind of answers you might get from, say, sending in an electronic eligibility request. Or maybe a few thousand.  Or a few hundred thousand.  Whatever.

But of course, that would be wrong.  I'm sure the cause of the raid was just a simple misunderstanding, like forgetting to cross an "i" or dot a "t" on their last Medicare provider enrollment form.

Oh, that's right.  They're not a provider, they're a payer.

Nothing to See Here, Folks
So that must mean these two stories aren't related.  Medicare's new policy is directed at healthcare providers.

http://hittransition.com/flashpoint/ad.htm

I was digging around on some RHIO research (there's a new report out from an organization that is trying to corral the RHIOs into something that might begin to look like a National Health Information Network -- or at least look more like each other). I forgot to take my ADD meds today, so I was clicking away, deeper and deeper into hyperspace when I struck upon Mark Frisse's Policy blog.  Now, Dr. Frisse is a heavy hitter in the RHIO universe.  He sits on blue ribbon panels and he speaks to hifalutin conferences and he coauthors important papers, meanwhile holding a leadership position in one of the country's more forward Regional Health Information Organizations.

So, I expected what I usually get when I see such a luminary has a blog: Two or three cursory posts that read like press releases, followed by many months of neglect.

Imagine my suprise when I discovered his posts were personal, thoughtful, insightful and -- get this!  -- recent.  And long.  (He almost makes me look concise.)  But readable.  Unfortunately, he doesn't include a permalink on his blog entries, so you need to go to his October archive and scroll down to find "Building Nirvana Without Draining the Swamp."

His point -- one of them -- is that it's basically futile to talk about return on investment for healthcare IT, or to determine who should pay for it, until we fix the healthcare system itself.  Since Michael and I are doing a webinar on ROI for healthcare IT in a few weeks, I thought I had better read it. (Continued)

[Okay, this was originally a clever and slightly scary story about the involvement of the CIA in a certain Health IT company (true) that is developing certain identification technologies (again, true) that take advantage of a very sophisticated database technology (absolutely true).

Unfortunately, the author of the story has been unable to substantiate a direct connection between that HIT company and the company that develops the database technology, and it is that second company that is working with the VA.  So, the wry, but somewhat worrisome tone of the original text falls pretty much flat on its face.  The editor regrets the error, and the author is scrambling for some old notes.  I wish him the best.

We don't usually do conspiracy stories.  Maybe this is why.  Hope you like the cartoon, which is still valid, as it concerns only the proven connection between Company A and The Company, as it were. -Ed.]

Click to view the HIT Bottom animated cartoon "HealthFault from Microsoft" >>

Patient Health Records are, in their current incarnation, such a bad idea, that I thought I had put enough bullets in my previous post about Microsoft's HealthVault.  And I definitely pulled some punches in my perspective on the likely impact of Wal-Mart's retail clinics on the healthcare industry.

Now more stuff is beating its way back into my forebrain, and, as usual, the bat is wielded by Mr. HIStalk's well-sourced blog. (Smacked again by my partner, who just posted the "HealthFault from Microsoft" animation at HITCHtv.net.)

I Left My PHR at the Office
One thing I left off the list of bullets is that when PHR is tied to anything temporary -- like, say, an employer or a health insurance plan -- then there isn't a heckuva lot of incentive for patients to maintain the data over time.

And maybe that specific critique doesn't apply to Microsoft -- unless you work for them -- but then the trust issue echoes down that cheeseless PHR tunnel.  The two people you most don't want to know what's wrong with you are your boss and your insurance agent -- lest you give them a legally-defensible reason to kick you out on the street.  Welcome to employer-based healthcare, Mr. 48-Million-and-One!

The third person?  Mr. Gates, I presume.

Speaking of Trust Issues
Wal-Mart has been pushing PHRs as a key member of the employer-based Dossia initiative.  And, even as Dossia membership expands, its developer, Omnimedix, has taken a walk.  One issue may be the viability of the underlying concept: Omnimedix CEO J.D. Kleinke, opined “We don’t believe a system that is developed and operated by employers will be trusted by employees.”

There also seems to be some concern about being paid.

The quote I liked the best came from another software vendor.  I'll just insert my editorial comments in square brackets.

Sorry for the oblique Bugs Bunny paraphrase in the headline, but I needed to mend some bridges with my friends at CMS who are responsible for the new NPI Registry that finally went online this week.

I spent a good deal of time Tuesday playing with it, and my less-than-impressive experience was documented with a longish post that garnered a lot of readership.

But I was only using the Organizational Provider (Type 2) NPI lookup option.  I didn't even look at the Individual Provider tool, in part because I didn't feel comfortable using actual results to illustrate the findings.  This was a mistake.  The tool is cool -- or at least cooler -- and there are some docs and practitioners we can talk about.

I've been playing around on the NPPES National Provider Identifier Registry to see how the webtool works, and get my first look at "real" NPI data.  I was one of many who warned that the data itself -- nearly all of which was entered manually and without independent validation -- would be of questionable consistency.  Some of those questions have been answered by my search sessions, and the answers don't look good.

I also worried about the capabilities of the tool itself -- not much was promised in the way of search functionalities by the CMS design team.  They get an "A" for expectations management, at least.  The search options are rudimentary at best.  Actually, that's a little generous.

But before anybody completely discards the notion of value in the data or the search tool, I should express my optimism.  The search can be improved -- and as it turns out, I have some helpful suggestions.  Likewise, the owners of the data can and should -- and will -- be encouraged to clean it up.  Read on for a click-by-click account, with color commentary.

I'll admit it -- last night/early this morning, sometime between when Conan O'Brien did his last hair flip and all those compelling "You MUST be over 18!" informercials take over all 300 cable channels, I clicked out to see whether the Long Awaited Data Dissemination Policy went into effect -- was the NPI data online?

No.

But they don't call me "CB" because I got a big 10-4 breakin' for you on Channel one-niner.  Nope, it's because I keep believing that Lucy's finally going to let me kick that ball.

So over coffee, I checked again, before I took my daughter to school and walked the dog (no, not THAT dog, her name is Roxy -- but she does sleep on the back of the couch, looking for all the world like that famous beagle on his doghouse). 

No data.  "You blockhead!" I thought to myself.

So after Roxy and I got back home, I checked again.  At least the real CB only tried it once a season.  I keep going back to that gridiron, day after day, hoping to get my toe on the ball.

Still no dice.  Swish!  AUUUGH!

Walter Suarez posts a note to the WEDI NPI list.  It's going online later today!

Good grief!  What do you take me for, a wish-washy....Hey!  There it is!

https://nppes.cms.hhs.gov/NPPES/NPIRegistryHome.do

Many moons ago, I wanted to share a query string that would bring up all CMS FAQs that include the term "NPI."  That was preferable to linking to specific items, because new items were being constantly being added.  I did the search query on the CMS site, which created a URL that was a mile long.  I systematically eliminated components of the string until I came up with something that produced the desired results, but was only a furlong or two in length.

I've given this out before, but I didn't have a direct, isolated link on my blog, so here it is.  You can click on the big ugly string, but that often gets broken in pieces when you copy/paste/send via email, so if that's an issue, you can link people to this blog post by copy/pasting the second string.  (I don't use tinyurl because I'm not sure what they are selling to do what they do for free.  I am selling mostly free information with a few fee-based webinars and mostly-free presentations and white papers thrown in).

Big Ugly String to CMS NPI FAQs
http://questions.cms.hhs.gov/cgi-bin/cmshhs.cfg/php/enduser/std_alp.php?&p_page=1&p_search_text=NPI&p_new_search=1&p_search_type=answers.search_nl&p_sort_by=&p_gridsort=4%3A2

Short Friendly String to this Blogpost
http://blog.hittransition.com/2007/08/link-to-all-cms.html

Today's announcement of the newest dissemination target date puts an end to your submissions to our Dissemination Roulette contest.  Of course, we won't be able to announce a winner until (or if) the NPI Registry actually goes online.  Remember, just like in real life, you don't win awards for getting close to the estimate, you win for getting close to the truth.

That allows us to complete the de-identified (initiated last Friday) list of the entries received before today's announcement.

Today's inbox greets us with this missive from CMS:

Dissemination of Data from the National Plan and Provider Enumeration System (NPPES) to Begin September 4, 2007

In case you were still wondering whether the previously-announced August 7 release date for the downloadable data had somehow avoided the scrutiny that held up the online NPI Registry site, the answer is no.  They say

Data will be available in two forms:

A query-only database, known as the NPI Registry.
A downloadable file. 

Since these both appear under the heading, "Dissemination of Data...to Begin September 4," one might assume that both would be available September 4.  I would discreetly point out that the simultaneity of these two releases is not necessarily explicitly indicated by the text. (And a closer reading confirms this: "The NPI Registry will become operational on September 4 and the downloadable file will be ready approximately one week later.")

Two More Weeks to Hide Your Privates
For the privacy-minded, the other deadline mentioned may be more significant: "health care providers need to submit their edits no later than Monday, August 20, 2007" to ensure they will be reflected in the public release.

Good Grief!  Again with the Football?
Another delay, another date for the calendar.  Anybody got a pencil?  Scrolling down the page, we found this reassurance: "Don't our eyes look sincere?  The sincerity of the eyes is an important indicator, Charlie Brown."

We've collected a number of responses to our NPI Disseminator Roulette contest.  We asked for an estimated date for the NPI Registry to go online, and, more importantly, the reasoning behind the estimate.  As you might guess, the answers were, well, unpredictable.  Here's a selection.  As promised, the identities of our contestents have been disguised....

CMS started sending out a belated notification to all its various listservs yesterday afternoon, acknowledging a delay in the August 1 availability of the NPI Registry.  In bold letters, no less:

CMS is delaying the deployment of the NPI Registry and the dissemination of FOIA-disclosable health care provider data from the National Plan and Provider Enumeration System (NPPES).  Additional information will be forthcoming on the Data Dissemination section of the NPI page at http://www.cms.hhs.gov/NationalProvIdentStand/06a_DataDissemination.asp of the CMS website. 

But below this came the mantra -- in even bigger, bolder letters -- that the department has attached to literally thousands of communications since it finally started taking NPI outreach seriously as the compliance date approached:

The NPI is here.  The NPI is now.  Are you using it?

Here? Now?  Doesn't that kind of contradict the first part of the message?  And how am I supposed to use it if I can't find it?  After all, only one of the hundreds or thousands of NPIs a provider will need is her own.

Still Confused?

You bet.

Getting an NPI is free - not having one can be costly.

And if not having one can be costly, imagine the cost of not having 2.5 million of them!

That contact information again:

1-800-465-3203 (NPI Toll-Free)
1-800-692-2326 (NPI TTY)
customerservice@npienumerator.com

An erstwhile reader suggested that, with yet another indefinite delay of the release of the NPPES data, I should "open a book" on the actual date that CMS will go online with the NPI Registry.  I'm sure she's not suggesting anything illegal, so I've devised this simple contest:

Email me (martinjensenAThittransition.com) your estimate of when you think the NPI Registry will go online and why you think the date you predict will be the real one.  I'll post the most interesting responses in a future blog, though I will keep all contributors' names a closely-guarded secret.  FOIA rules do not apply here!

In keeping with the spirit of the topic, the end of the contest is indeterminate.  I'll quit accepting submissions when the new target date is announced, which could be any minute now.  We know that date doesn't necessarily mean anything, but its publication as the new definition of Real Soon Now provides a handy stopping point. If the registry goes online without such an announcement, well I guess that would mark an endpoint to the contest, too.

We'll present the winner a major award: one of our beautiful "CMS is like a box of chocolates" coffee mugs.  (If you decide you must have one and cannot wait for Real Soon Now to arrive, you can order one from our HIT Bling! Cyber Cafe.)  The prize will go to the person who comes closest to the actual date the NPI Registry goes live.  If there is a tie, we'll draw one submission at random from the winning estimates.  "Never" is a legitimate estimate, but remember that your chances of getting the mug decrease with the number of winning entries. 

It may also be difficult to determine when to award the mug in that case, since CMS may never admit that they will never release the data.  Remember the National Plan ID standard?

Prize value is $15.95 plus shipping and handling, which should keep you within the boundaries of any organizational ethics policies.  If not, you can still play -- just indicate that you want the mug shipped to the charitable institution of your choice.  I'm sure your local hospital will appreciate the gesture.

I don't know about you, but I was up at midnight to see whether the promises of the long-awaited data dissemination policy had been actualized.  I anxiously clicked on the NPI Registry link and got the following familiar non-information:

NPI Registry is currently unavailable.

Please try again later.

Dissemination Delayed is Dissemination Denied
No NPI lookup. This morning the message persisted.  So I called the technical support number and spoke to an NPI Specialist.

"CMS has decided to delay the deployment of the registry. It could be next week; it could be longer."

They had already decided to delay it until August 1.  Does this mean they have decided to delay it again?

"That is correct."

Do I feel like a blockhead?

That is correct.

This Time, She Really Might Let Me Kick It
Unlike NPPES, we at the HIT Transition weblog don't rely on single-source reporting.  My partner Michael called again.

"CMS has decided to delay deployment and will announce any information on their NPI Website."

Whump!
While I was composing this post, This confirming message appeared on the CMS NPI Data Dissemination page:

CMS is delaying the deployment of the NPI Registry and the dissemination of FOIA-disclosable health care provider data from the National Plan and Provider Enumeration System (NPPES).  Additional information will be forthcoming on this web page.

Fussbudgeting for Privacy
A source indicated that AMA sent another letter off to CMS last week.  I couldn't dig it up on the AMA website yet, but if anybody can share a copy, I'll let you know.

Whether that tipped the scales or not, you can bet that CMS is anticipating a lot of angry calls from providers who feel a public posting of their NPPES data (sans SSN, birth date, country of origin, etc.) constitutes an invastion of their privacy. 

Just Another 10-Digit Number?
Will they get any calls from other providers who are miffed that the delay means they still can't obtain the NPIs they need to get their own claims paid?  I guess that's part of the calculation.

In case you needed them, that NPPES contact information is:

1-800-465-3203 (NPI Toll-Free)
1-800-692-2326 (NPI TTY)
customerservice@npienumerator.com

Sometime last night, CMS posted a bunch of news to their NPI Data Dissemination page.

They must have reconsidered the issue of leaving the first data file out there for perpetuity (including all the privacy-concerned providers who somehow didn't get the previous messages about redacting addresses and numbers they don't want to share).  Now they say they will post a fresh file every month.  Deactivated provider records will simply disappear.  Neat, huh?  Guess we don't have to worry our pretty little heads about when a provider was deactivated or why.

The posting of the NPPES data file now has been given a definite date of August 7.  The link is http://nppesdata.cms.hhs.gov/cms_NPI_files.html

In answer to some of the questions you may have...

1. Yes, it will be one big'ol CSV file, accompanied by a Readme and a code value reference.  (See important note below)
2. Approximately 340MB zipped, 800MB expanded
3. "During testing, CMS was able to use Helios Textpad, Boxer Text Editor and Microsoft Access 2003 successfully to view the file."
4. No tech support.  Thanks for asking.

Type 2 Re-do
Contrary to the Data Dissemination Notice, no EINs will be in the data.  They say they found some SSNs in the mix.  They say they'll release EINs when they are sure there aren't any SSNs in the field.  In the meantime, this will make one of the most significant queries impossible to run: "How many subparts did this organization enumerate?"  It also means that the data structures, queries and exports you make now will need to be revised when the data element is added.

Gee Maybe There's a Pattern in that 9-digit Number....?
They also found a data solution to the "accidental disclosure" issue -- where a practitioner's SSN was embedded in an Other Identifier field: "CMS is suppressing from display in the NPI Registry and in the downloadable files any SSNs or IRS ITINs that remain in any of the FOIA-disclosable fields in the records of health care providers who are individuals."

"Suppressing from display?"  Why not just delete those numbers at the source?  Oh yeah.  Medicare gets its access to NPPES under a Data Use Agreement, not via the Freedom of Information Act.  Maybe they need those secret numbers for their crosswalks.

Missing Link Discovered!
Most importantly, the Readme, code values and a header file are posted now.  You can download them from the bottom of the page.  OOPS!  The link to the header file is bad.  I derived the right URL.  Until they get it fixed, you can download it here.

.

So the NPI Registry is supposed to go online Aug 1, which is Wednesday.  But in a departure from previous announcements, CMS now says it may be "about a week later" before anyone will be able to download the entire file.

My suspicion? They're going to move the file's as-of date from July 15 to "the last possible minute," so there isn't a perpetual repository of "p___ed off provider" records out there.  Remember that the first release is supposed to become the baseline data, after which they will post monthly add/mod/suspend updates.  If un-redacted private data is out there on Day 1, it will be there "forever."

A more skeptical thought?  They're floating the repository site as a trial balloon.  Will providers love it because they can finally look up all the different NPIs they need to submit claims?  Or will they hate it, because they listed their condo as a business address?  (That would go to support their annual 1040 writeoff, though....)

But the NPPES data is finally going online!  Okay, Lucy...you hold the football, and I'll come running up and kick it.

(NOTE: See numerous updates on this issue by clicking on the NPI - National Provider ID category in the right hand margin.)

I Want To Be Wrong
I try to alert my readers about certain things before they happen, but avoid making prognostications for the sake of seeming clairvoyant.  Most often, I warn you about things that might happen but shouldn't, in the hope of playing a small role in prevention.  That's how it was with the October 2003 Train Wreck, and that's how I hope it will be in avoiding the worst snafu potentials of taxonomy crosswalking.

So I'm hesitant to even raise the possibility of a legal challenge to the upcoming Long-Awaited NPI Data Dissemination.  But there it is.  We know that a lot of providers are angry about the release of what they see as personal information (their name, their National Provider Identifier, one or two addresses where they can be found, and other identifiers they have listed with NPPES).  Angry enough that the Executive VP of the AMA sent a letter to HHS Secretary Leavitt and CMS Acting Administrator Norwalk demanding action to prevent the "imminent and irreparable harm" of such disclosures.

The Department's response was to give providers a little more time to trim their own NPPES records of sensitive information.  Will that be enough to prevent providers from taking further action?  I hope so, because I think the preponderance of evidence indicates that unfettered access to NPPES is heavily in providers' own self interest.  Unlike some other HIPAA mandates, the benefits of NPI inure primarily to providers themselves, though there is plenty of surplus advantage to payers who use it wisely and, more significantly, patients who frequently suffer from a morass of uncoordinated care.

But let's focus on providers here, because if I'm right that preventing dissemination is a bad idea for them, those arguments should be sufficient to counter the privacy concerns.

Yesterday we shared an irate letter from the AMA decrying the imminent release of provider data from CMS.  The free distribution of such personal information would cause "imminent and irreperable harm."

Doctor, Doctor, Give Me the News
After Sunday's article in the Chicago Tribune, the organization might be eating a little bit of privacy crow, however.  Turns out, they've been selling physician data to pharmaceutical companies, who use it to track prescription patterns, among other things.

This is not strictly news, of course, since associations typically leverage their membership data for ongoing revenue.  I seem to remember a flutter about the AMA in particular a couple years back.  Still, according to the Tribune, "'Doctors are not aware that companies are out there that know every prescription a doctor prescribes,' said Dr. John Santa, an internist at the Portland Veterans Affairs Medical Center."  And, presumably, that their own association keeps its membership fees down by colluding with the nefarious data mining enterprise.

NPIs and Pork Bellies
I'll neither defend nor pillory the august body for its extracurricular revenue model, but I would like to point out that the Tribune puts the "imminent and irreperable" outrage into perspective.  Social Security Numbers are bought and sold for a few dollars, perhaps pennies in volume.  Physician DEAs are already in the hands of those who want to use or abuse them, from dozens of repositories of varying degrees of integrity.  Personal data is a commodity. CMS's biggest sin was to set the price at zero.

Ready for that NPPES data? Keep holding your breath.  This just in from CMS.

CMS Delays Dissemination of National Plan and Provider Enumeration System (NPPES) Data

The NPPES Data Dissemination Notice (CMS-6060-N) was published on May 30, 2007.  NPPES health care provider data that are required to be disclosed under the Freedom of Information Act (FOIA) will be made publicly available. The FOIA-disclosable data will be made available in an initial file downloadable from the Internet, with monthly update files also downloadable from the Internet, and in a query-only database (the NPI Registry) whereby users can query by NPI or provider name.  The Notice stated that these data will be available 30 days after the publication date, and CMS had previously stated that they would be available on June 28, 2007.

CMS believes that health care providers need additional time, beyond what was afforded in the Data Dissemination Notice, in which to view their FOIA-disclosable NPPES data and make any updates or deletions (where permitted) that they feel are necessary.  Therefore, CMS has decided to delay the dissemination of FOIA-disclosable NPPES health care provider data until August 1, 2007, 60 days after the publication date of the Notice. 

CMS will provide additional information in the near future with respect to the date by which changes would have to be submitted in order to be reflected in the initial downloadable file. CMS understands that the health care industry is in urgent need of the FOIA-disclosable NPPES health care provider data; however, CMS believes it is in the best interests of the industry, and the health care providers in particular, that the NPPES data we will be disclosing be as accurate as possible. 

For the latest information on Data Dissemination, as well as a list of the FOIA-disclosable data elements, visit http://www.cms.hhs.gov/NationalProvIdentStand/06a_DataDissemination.asp on the NPI website.

In resolution 730 dated 6/23/2007, the American Medical Assocation House of Delegates suggests that the last four digits of the NPI be used as a reference number in place of the entire NPI on public websites, published lists, and other communications.

After the rush of discovering that the Long Awaited NPI Data Dissemination Policy (LANDDP) was far more liberal in granting data access than I and other industry observers had dreamed, I'm feeling a bit of a post-holiday hangover.

It's probably got something to do with the fact that I've been asked the same question three or four times today, "Is it all that?"

I just finished my first read-through of the long-awaited NPI Data Dissemination Policy (we ought to just abbreviate that as LANDDP at this point).  I have to say, as an instrument for deploying a universal provider ID to replace all the idiotic payer/location/context-specific IDs providers have been burdened with until now, I can't think of a sharper, more useful tool.

Here at HITTG, we've tracked this issue for years (literally) and extended our efforts well beyond newsgathering and sharing information.  We dug, we warned, we challenged.  We joined with others in shared voice.  The people working on this issue were well aware of the difficulty of coming out with a system that passed muster in terms of both regulatory scrutiny and industry utility.

Meanwhile, some providers expressed privacy concerns, despite the fact that disclosure of NPIs was already mandated by the NPI Final Rule.  If CMS hedged, or was backed into a corner by existing federal privacy rulings, the NPI would be a "private number" and the entire NPI effort was, in my estimation, doomed.

The sweeping access granted by the LANDDP leaves me breathless.  We actually have a chance to make this work now.

This just in: Medicare is concerned about patient privacy, so before you send them a request to see if your patient is eligible, well...I can't say it any better than the MLM:

...examples of unauthorized purposes for requesting beneficiary Medicare eligibility information include:

• To determine eligibility for Medicare without screening the patient to determine if they are Medicare eligible

Well, "Real Soon Now" may be upon us -- CMS says it might publish its long-overdue Data Dissemination Policy for the National Provider Identifier sometime this month.  I've been asking about it for over 18 months now, and I've followed the anticipations and disappointments long enough to take the Missouri Option ("Show Me") in regards to its release.  What has changed from prior announcements is that the industry actually seems to have developed an understanding of why access to the National Plan & Provider Enumeration System (NPPES) is important: Until NPPES data is available, the Gold Standard of Provider Identification remains in a locked vault.

More to the point, the alternative, which I refer to as NPI Disspamination ("Email your NPI to everyone you know or you will have very bad luck on May 23") has been understood to be both costly and ineffective.  Sure, if you're a provider, you can send it to everybody -- but have you included all the data elements in your message that they need to build a crosswalk to their legacy IDs?  If you're a payer, you can urge, coddle or threaten, but do you think you will get anywhere near the percentages you need to keep from going manual, once NPI identification becomes a reality?

Still, like anything else in the universe, NPPES data will be "no panacea."  The quality of the data itself is questionable, at best, and indications are that restrictions on use will prevent the kind of data merging that everyone hopes and prays will bring their databases up to readiness status.  I've put together a list of issues to look for in the Data Dissemination Policy (let's make it easy and call it the DDP) along with some thoughts about what we might see.

Just got a tip from a colleague that CMS may be allowing access to NPPES data (the NPI database run by enumerator Fox Systems) prior to the release and approval of the much-delayed Data Dissemination Notice. 

Big News Day
For people trying to solve the National Provider Identifier problem, this would be bigger news than the simultaneous announcement by CMS parent HHS that Robert Kolodner, chief health informatics officer at the Veterans Health Administration, will take on David Brailer's job, at least on an interim basis.  (It had been suggested that it would be hard to get someone from private industry to take on the review process, much less the role, for an official appointment, given the short period of time left in the administration's tenure  This fits with the indication that Kolodner would serve as acting national coordinator for health information technology.)

Back to Data Dissemination
The hue and cry for access to NPI data has been growing steadily since we and others first started asking about it after the release of the final rule.  "Real soon now," was the reply, as CMS wrestled with federal regulations regarding personal identifiers and external pressures to keep a tight lid on the as-yet-undeployed physician identifiers.

Without access to this data (and after many delays in the anticipated release of the policy), healthcare organizations have been relying on haphazard and error-prone point-to-point exchanges of NPI and related data.  Not just payers, but provider organizations.  Hospitals, reference labs, physicians who require referrals and preauths -- anyone who must list other providers on their claims -- were slowly beginning to realize how difficult it would be to send NPIs without the ability to look up NPIs. 

Worse, the early adopters were discovering a nasty uptick in demand for extra paperwork -- no standard procedure exists, so each payer was devising their own way of obtaining and verifying NPIs. Medicare led the way by requiring a hardcopy of the NPPES notification from the enumerated provider, which, flimsy as it was, remained the only method of NPI validation sourced from NPPES available to an external party.

Horror story from Oregon:  Providence Health System was apparently using an employee's car as its offsite storage system for data backups.  I'm guessing that keeping a bunch of disks and tapes in the back seat of a Pontiac might not have been so risky, if the employee had not decided to carry them in a laptop bag.  The thief who broke the window on December 31 probably thought he could fence a PC for a couple hundred bucks.  Instead, he ended up with the confidential records of 365,000 patients and about 1,500 employees.  Is there a virtual market where you can pawn personal identities?

Though the employee initially told the sherrif's officer that the data was "highly encrypted," the health system later -- much later -- revealed that this was not the case.

The Washington Post reports that the City of New York will soon start gathering lab results on diabetic patients without asking permission.  This is seen as a significant change in focus of public health authority from the realm of infectious disease control to chronic disease management.

Under the program, independent clinical labs will be required to submit the results of Hemoglobin A1c tests to the health department within 24 hours.  A1c provides an estimate of the patients average glucose control over the preceding few months.  The New York City Department of Health and Mental Hygiene will use the aggregate data to track the impact of the disease and assess management efforts, but is also intending to contact patients directly if their numbers show a lack of control.  Curiously, they've decided to pilot the door-knocking campaign in the South Bronx, long regarded as one of the city’s roughest neighborhoods.  (I wonder what the recruitment ad for that home health position might look like?)

Privacy advocates are, of course, outraged and public health wonks are, understandably, hopeful.

As both a HIT worker and a diabetic, I have my own thoughts on the subject.

The Department of Health and Human Services has issued a timely report summarizing how Covered Entities (particularly healthcare providers) can provide disaster relief AND assist loved ones concerned about the location and status of victims.

If you are a provider who is concerned about unlawful disclosures, or if you are or know of someone who is having difficulty obtaining the status of a loved one, see the report here: www.hhs.gov/ocr/hipaa/KATRINAnHIPAA.pdf.

Here are some relevant passages: