Tuesday, June 29, 2010

Commonwealth Fund: US Health System Continues to Underperform

A new Commonwealth Fund study  reports that despite having the "most costly health system in the world, the United States consistently underperforms on most dimensions of performance... Compared with six other nations—Australia, Canada, Germany, the Netherlands, New Zealand, and the United Kingdom — the U.S. health care system ranks last or next-to-last on five dimensions of a high performance health system: quality, access, efficiency, equity, and healthy lives."

"The most notable way the U.S. differs from other countries is the absence of universal health insurance coverage. Health reform legislation recently signed into law by President Barack Obama should begin to improve the affordability of insurance and access to care when fully implemented in 2014. Other nations ensure the accessibility of care through universal health insurance systems and through better ties between patients and the physician practices that serve as their long-term “medical homes.” Without reform, it is not surprising that the U.S. currently underperforms relative to other countries on measures of access to care and equity in health care between populations with above-average and below-average incomes.

But even when access and equity measures are not considered, the U.S. ranks behind most of the other countries on most measures. With the inclusion of primary care physician survey data in the analysis, it is apparent that the U.S. is lagging in adoption of national policies that promote primary care, quality improvement, and information technology. Health reform legislation addresses these deficiencies; for instance, the American Recovery and Reinvestment Act signed by President Obama in February 2009 included approximately $19 billion to expand the use of health information technology. The Patient Protection and Affordable Care Act of 2010 also will work toward realigning providers’ financial incentives, encouraging more efficient organization and delivery of health care, and investing in preventive and population health.

For all countries, responses indicate room for improvement. Yet, the other six countries spend considerably less on health care per person and as a percent of gross domestic product than does the United States. These findings indicate that, from the perspectives of both physicians and patients, the U.S. health care system could do much better in achieving value for the nation’s substantial investment in health.


Key Findings


Quality: The indicators of quality were grouped into four categories: effective care, safe care, coordinated care, and patient-centered care. Compared with the other six countries, the U.S. fares best on provision and receipt of preventive and patient-centered care. However, its low scores on chronic care management and safe, coordinated care pull its overall quality score down. Other countries are further along than the U.S. in using information technology and managing chronic conditions. Information systems in countries like Australia, New Zealand, and the U.K. enhance the ability of physicians to identify and monitor patients with chronic conditions.

Access: Not surprisingly—given the absence of universal coverage—people in the U.S. go without needed health care because of cost more often than people do in the other countries. Americans with health problems were the most likely to say they had access issues related to cost, but if insured, patients in the U.S. have rapid access to specialized health care services. In other countries, like the U.K. and Canada, patients have little to no financial burden, but experience wait times for such specialized services. There is a frequent misperception that such tradeoffs are inevitable; but patients in the Netherlands and Germany have quick access to specialty services and face little out-of-pocket costs. Canada, Australia, and the U.S. rank lowest on overall accessibility of appointments with primary care physicians.


Efficiency: On indicators of efficiency, the U.S. ranks last among the seven countries, with the U.K. and Australia ranking first and second, respectively. The U.S. has poor performance on measures of national health expenditures and administrative costs as well as on measures of the use of information technology, rehospitalization, and duplicative medical testing. Sicker survey respondents in Germany and the Netherlands are less likely to visit the emergency room for a condition that could have been treated by a regular doctor, had one been available.

Equity: The U.S. ranks a clear last on nearly all measures of equity. Americans with below-average incomes were much more likely than their counterparts in other countries to report not visiting a physician when sick, not getting a recommended test, treatment, or follow-up care, not filling a prescription, or not seeing a dentist when needed because of costs. On each of these indicators, nearly half of lower-income adults in the U.S. said they went without needed care because of costs in the past year.

Long, healthy, and productive lives:  The U.S. ranks last overall with poor scores on all three indicators of long, healthy, and productive lives. The U.S. and U.K. had much higher death rates in 2003 from conditions amenable to medical care than some of the other countries, e.g., rates 25 percent to 50 percent higher than Canada and Australia. Overall, Australia ranks highest on healthy lives, scoring in the top three on all of the indicators."

Thursday, June 24, 2010

Health Wonk Review up at Wright on Health

Brad Wright dishes a special Research Edition of Health Wonk Review at Wright on Health timed to coincide with the  Annual Research Meeting for AcademyHealth in Boston.  Healthcare Technology News story on Defensive Medicine is featured, along with the best of the policy blogosphere.  

Wednesday, June 23, 2010

Decision Support Service Providers

Guest author John Halamka is Chief Information Officer of Beth Israel Deaconess Medical Center and the  Harvard Medical School. 

Decision Support Service Providers

In my recent Leiter Lecture, I spoke about the idea that decision support services should be available in the cloud. BIDMC has 2000 decision support rules. Brigham and Women's has 2000 decision support rules. They are entirely different rules maintained by two teams of experts. That's lunacy.

Shouldn't we have have a single set of evidence-based rules that everyone in the country can use?

But how would it work and what standards would be used?

I serve on the Board of AnvitaHealth (note the Conflict of Interest), which is working on this problem.

1. First, rules need to be authored by experts or gleaned from the literature and represented electronically in a decision support cloud.

2. Second, an XML form of patient history needs to be sent to the Decision Support Service Provider. For example, the problem list, medication list, recent labs, age, and gender could be sent in a Continuity of Care Document without specific patient identifiers.

3. Third, the Decision Support Service Provider should respond with clinical care advice, such as drug/drug interactions, alerts/reminders, or wellness guidance

Here's a concrete example. For brevity, I included only pertinent portions of the XML input data. The XML could contain any arbitrary length of data elements and codes sets.

Here's an example of an XML patient data input file (CCD is also natively supported)

The XML response is a realtime answer to every rule set run. Thousands can be executed in realtime (milliseconds). Here's an XML response that indicates two drug safety issues – a drug-disease (MAO+Hypertension) interaction and a dangerous drug-drug combination at severity level 1 (fetanyl-containing meds and MAO inhibitors)

Here's an XML response that indicates a laboratory gap in care. In this case, the patient is taking an ACE Inhibitor and does not have recent serum electrolytes. The compliance to this rule is thus false (underlined).


Thus, Anvita has defined clinical decision support (CDS) standards to transmit decision support recommendations from the service provider back to the EHR. I am unaware any widely implemented standards that do this today.

Additionally, the XML response object is hierarchical. Any response (drug safety, gap in care, etc) can be drilled down further to any level of detail, including the drug package insert, for example. However, for speed of response, Anvita returns portions of the XML response initially.

Additional details from Anvita:

1. The patient data set (longitudinal health record) can be sent to Anvita’s web service as XML or CCD. Anvita’s XML anticipates and extends attributes necessary for decision support, such as presence or absence of different types of dialysis, which are not yet required by CCD.

2. Anvita’s engine includes (a) decision support function requests (e.g., check drug dose, get formulary, find safety-check therapeutic alternatives, find gaps in care) and also (b) utilities, such as: search functions using descriptions within codesets like CPT, NDCs, the ability to find all drugs within a therapeutic class, find all LOINCs that infer the same physiologic laboratory test, etc. Anvita utilitizes freely available vocabularies for maintaining local dictionaries, their synchronization, and taxonomies. The modularity of (a) and (b) allows homegrown systems and next-generation applications to be developed without having to deal with the complexity of thousands of pages of implementation guides pertaining to drug databases, industry codes like CPT, LOINC, NDC, semantic interoperability between non-congruent databases (due to the Anvita Thesaurus), as well as coding of hundreds of quality/ performance measures that Anvita provides out of the box (e.g., HEDIS), in a plug-and-play fashion.

3. A decision support request, posed as XML, returns a response object for that request. The response XML can include drug safety analysis, gaps in care analysis and scoring, formularies, cumulative radiation exposure, etc. Therefore, Anvita is a generalizable, semantic search engine that executes in realtime as a web service. Anvita’s realtime capability not only enables decision support at the Point of Care, but business functions such as electronic prior authorization using EHR data (e.g., high tech imaging).

4. The analytical responses can be delivered as either XML (for instantaneous consumption at the Point of Care) or written directly to an alerts database (for population analytics). The analytical database can be viewed/queried directly by Anvita’s web-based tool or it can mined by 3rd party business intelligence tools (e.g., Cognos, Business Objects, JasperSoft, Pentaho).

5. Anvita also has supporting tools that include:
a. A Rules Authoring application, so that a non-technical specialty society or policy group (e.g,. NQF-endorsed entities) can author computable performance measures without any software coding at the atomic level
b. A Rules Management application, so that local organizations and physicians can decide and configure which rules to run (e.g., Meaningful Use), including the rules they’ve authored themselves and that might be proprietary (e.g., electronic prior-authorization criteria).

I do not present this as an advertisement for Anvita, but as a generalizable, modular approach to decision support in the cloud that could be implemented by many companies instead of duplicating expert resources in every hospital and health information exchange.

Decision Support Service Providers is a concept that is ready for prime time.

Tuesday, June 22, 2010

Defensive Medicine - It's not about tort reform


A recent independent national physician Gallup survey commissioned by Jackson Healthcare found that physicians attribute 26 percent of overall healthcare costs to the practice of defensive medicine. Of the physicians surveyed, 73 percent agreed that they had practiced some form of defensive medicine in the past 12 months.

Key Findings
  • Physicians attribute 26 percent of overall healthcare costs to the practice of defensive medicine
  • Of the physicians surveyed, 73 percent agreed that they had practiced some form of defensive medicine in the past 12 months
  • Physicians indicating they had practiced a form of defensive medicine in the last twelve months attribute 21 percent of their practice to be defensive in nature
  • Physicians attributed 34 percent of overall healthcare costs to defensive medicine
  • Nine out of 10 physicians (92 percent) reported practicing defensive medicine
  • In cases of true negligence, nine out of 10 (89 percent) physicians agree that patients receiving negligent treatment should be compensated
  • Emergency room, primary care and OB/GYN physicians are most likely to practice defensive medicine
  • Younger physicians and female physicians reported less tolerance for risk and are more likely to practice defensive medicine;
Physicians who reported practicing defensive medicine, estimated the following:
  • 35 percent of diagnostic tests were ordered to avoid lawsuits
  • 29 percent of lab tests were ordered to avoid lawsuits
  • 19 percent of hospitalizations were ordered to avoid lawsuits
  • 14 percent of prescriptions were ordered to avoid lawsuits
  • 8 percent of surgeries were performed to avoid lawsuits
Consequences reported to exist beyond the threat of the courtroom, included:
  • Practicing “rule-out medicine” vs. “diagnostic medicine”
  • Physicians appear afraid to trust their own clinical judgment and trust first-round tests, resulting in tests to confirm the results of tests
  • Physicians expressed concern over not only missing a diagnosis, but being charged with delay in diagnosis
  • Patients are viewed as plaintiffs, not partners
  • Patient access to medical information and self-diagnoses via the web has increased physician compliance with patient demands in an effort to avoid lawsuits
  • Physicians avoid high risk patients, because a bad outcome increases chances of litigation
  • Physicians avoid procedures and practices that would increase medical malpractice insurance premiums, thereby limiting patient access to treatment
  • Physicians are considering leaving the profession
Defensive medicine takes two main forms: assurance behavior and avoidance behavior. Assurance behavior involves the charging of additional, unnecessary services in order to a) reduce adverse outcomes, b) deter patients from filing medical malpractice claims, or c) provide documented evidence that the practitioner is practicing according to the standard of care, so that if, in the future, legal action is initiated, liability can be pre-empted. Avoidance behavior occurs when providers refuse to participate in high risk procedures or circumstances.

Jackson Healthcare commissioned the Gallup survey after observing these startling findings in their own polling.  Rick Jackson, 30 year CEO of Jackson Healthcare, sat down with HTN to provide some background and insights.

HTN:  What led you to conduct these polls and what was your personal reaction?

Rick Jackson: We felt we should ask physicians, who write the purchase order for most healthcare costs, what their opinion was on the Democratic and Republican version of healthcare reform.  They came back overwhelmingly that changes have to be made in the legal system beyond capping malpractice and stabilizing the insurance market.  They felt we need true tort reform to eliminate the practice on defensive medicine.  We then surveyed them on their opinions and practice of defensive medicine and were surprised by the findings.  We commissioned Gallup to do an independent survey on this issue and the results were very close to our own survey.  We were surprised by the emotion of the physicians and the findings from our survey.

HTN:  What are the root causes behind defensive medicine?

Rick Jackson:  Physicians are personally liable for any mistakes they make.  Even if covered by malpractice insurance should an award exceed that amount the physician is personally liable.  This environment causes them to assume a very defensive posture when interacting with patients.  They have learned from their mentors “war stories” that it is always better to order tests, medication and treatments to prove that a condition exists and just as importantly that other conditions do not exist in their patients.

HTN:  What are the policy implications? 

Rick Jackson:  If we could get our lawmakers to focus legal issues beyond what they describe as tort reform we could save the country between $650-$850 billion dollars PER YEAR.  Physicians are leaving the profession in significant numbers.  With the current environment, physicians are recommending their sons and daughter to NOT go into medicine.  With the population demographics dictating the need for more physicians in the future, this is a disturbing trend.

HTN:  What reactions are you getting to the poll?  From physicians?  From Congress? 

Rick Jackson:  We are pleasantly surprised that the dialogue has started including talk of defensive medicine.  Our story was covered on CNN, and now there are stories on defensive medicine in Newsweek, MSNBC and other media outlets.  Dr. Senator Coburn talked about our results at the Healthcare Summit.  The physicians have had many positive comments.  We also met with the policy people from Senators Coburn and McConnell as well as Congressmen Boehner and Price.

Part II of the interview with Rick Jackson will appear in a subsequent post.

Monday, June 21, 2010

CMS Launches Its Website for Meaningful Use Incentive Programs

 The Centers for Medicare & Medicaid Services (CMS) has launched the official website for the Medicare & Medicaid EHR Incentive Programs. This website will provide the most up-to-date, detailed information about the EHR incentive programs.


The Medicare and Medicaid EHR Incentive Programs will provide incentive payments to eligible professionals and hospitals as they adopt, implement, upgrade, or demonstrate meaningful use of certified EHR technology.

Centers for Medicare & Medicaid ServicesThe web site details eligibility, certification, meaningful use, registration, upcoming EHR training, events and information for the states.

Friday, June 18, 2010

NHIN Direct - What it might look like

NHIN Direct is an ONC led initiative to enable boundaryless secure point-to-point provider messaging to other healthcare stakeholders. NHIN Direct would provide a standards-based replacement to paper, fax and email-in-the-clear and a transport layer for system-to-system point-to-point messaging.

The NHIN Direct Implementation Group is drawing close to its decision on the implementation approach.  A convergence proposal has been submitted by NHIN Direct workgroup leaders David McCallie  and this writer.  The proposal centers on an SMTP backbone, with edge protocols that enable secure email, EHR workflow integration (using IHE standards) and system-to-system integration (using REST).
_______________________________________________________________________________


NHIN Direct Convergence Proposal
This post is from Rich Elmore (Allscripts) and David McCallie (Cerner), with thanks and gratitude to many contributors and reviewers. A special thanks to the Concrete Implementation teams and the HIT Standards Committee review team that paved the way for this proposal.

Following the NHIN Direct Implementation Group June face-to-face meetings, the following proposal emerged as having a reasonable potential for consensus. The core of the idea is to take the best aspects of each proposal and blend them together to create something that doesn’t have to compromise on any dimension.
The proposed approach is designed to address the following CTQ’s:
  • The backbone shall be:
    • A pervasive widely-available, universally-addressable, secure and reliable network
    • Already proven and in widespread use for this specific purpose (1a)
    • “Instantly on” – meaning that the global network can be built out in months, without central planning, using proven infrastructure and deep existing knowledge for this specific application (1a). Wes Rishel has described this as a “socially scalable” deployment architecture.
  • The edge protocols shall support:
    • Instantly-on integration with EHR’s using the existing IHE XDR standard
    • Immediately available infrastructure ready for system-to-system innovations using a RESTful reference implementation
    • Bootstrapping for non-EMR users by providing basic access using standard email clients (POP/IMAP)
  • payload neutral content model shall meet entry-level providers where they are, but can scale up to the levels of metadata that are currently required by integrated health care settings and will be required by all providers to drive efficient and high quality workflows.

In more detail, we are proposing that:
  • The backbone protocol for NHIN Direct would be SMTP carrying S/MIME signed and encrypted messages. This approach will allow us to leverage existing software, infrastructure and business models to ensure that NHIN Direct service is immediately available to both large and small providers regardless of practice size and IT budget.
    • In order to minimize the need to have end-users managing PKI certificates, we have designed and coded a transparent way for an organization and/or its users to delegate certificate management to a trusted HISP. The HISP will then transparently use DNS to locate and apply the user’s certificate (or the organization’s certificate) to convert the unencrypted message into a standard S/MIME message and verify an S/MIME signature. If an organization prefers not to sign a BAA with their HISP and prefers to manage certificates themselves, security can be performed within the organization. If the sender is unwilling to outsource encryption to the HISP, then the sender will have to perform any necessary XDM packaging (and encryption) before uploading the message to the HISP. NHIN Direct supplied libraries could be invoked locally to perform the XDM wrapping.
    • The use of organization or user level certificates also allows our approach to manage “multiple circles of trust,” as required by the Privacy & Security principlesbecause each organization may independently chose which certificate authorities to accept, and which to reject.
    • HISP-HISP conversations will be additionally encrypted using standard TLS using server certificates only (no client certificates) issued by an accepted Internet CA. This willguarantee a secure channel to protect the routing metadata while messages are being sent between trusted entities.
    • Error and status messages will be returned as messages using the MDN content type.
  • An integrated XDR interface/gateway will be developed that can translate messages to and from XDR for out-of-the-box integration with existing XDR implementations. The system will adopt XDM as the recognized mechanism to encode content metadata for transmission across the backbone (as an attachment with the application/xdm+zip content type) and will use XDR as the protocol to interface with existing XD* applications. See the figure below for a schematic. (Note: we use the term “metadata” here to refer to content-associated metadata, not the routing information used to send the message.)
    • We recommend that clients create metadata attachments whenever possible. As a general rule of thumb, the sender is recommended to create as “rich” a metadata package as possible. The receiver should use as much received metadata as possible, and will be expected to send a “bounce” message back to the sender if the message cannot be processed, or the metadata does not meet the receiver’s standards.
    • A key goal here is to provide a “bootstrapping” pathway that lets clients move from “no metadata” to full metadata without having to change messaging platforms. A provider should be able to start out with a simple an email client, and then move to an EHR module, and then to a full EHR without changing HISP or secure NHIN-Direct addresses.
    • Our approach follows the same content standards as are used by XDR with the design criteria to avoid changes to the EHRs. It would also follow and leverage the “step up” and “step down” gateway code created by the SOAP team. It would follow any new profiling standards from IHE that would guide the proper use of “minimal” content metadata for those clients who cannot generate full metadata.
    • The REST reference implementation will be specifically tuned to ease creation of the metadata package transparently.
  • A reference implementation of a simple REST interface will be exposed to the edge to support a more familiar integration approach for developers comfortable in that environment. This interface will also enable rapid innovation through the addition of new methods as needed.
    • The REST interface can readily be used to integrate the HISP with existing EHR software (where there is an already-established workflow engine and/or “inbox”)
    • The REST interface can be used to create novel integration points, such as web-based portals, for secure message-handling. We propose to create a reference implementation of a simple web-based portal, as part of the pilot deliverables.
  • basic client interface will be provided by exposure of standard POP/IMAP email services.
    • To ensure edge on-the-wire privacy, all clients will be required to use TLS with a server certificate only to connect to the HISP. Authentication could be username/password and/or client certificates.
    • To minimize the risk of mistaking a non-secure email account with the secure email account, we recommend (but don't require) that clients use a separate email instance to connect to their HISP, where this is technically supported by the client, rather than managing two accounts from one email client. This would be similar to using one client for personal email and a different client for corporate email.
    • Our reference implementation will include instructions to pre-configure email clients to ensure secure communication with a HISP.

Together, a reference implementation built to support this proposal is able to expose all three of XDR, REST and SMTP/POP3/IMAP as peer interfaces to edge clients. It will provide immediate utility for providers with limited IT capability, maximize the acquisition and exchange of content metadata, and provide a surface for rapid innovation.

NHIN_Direct_-_Convergence_Proposal.JPG

Appendix - Sending / Receiving


NHIN_Direct_-_Convergence_Proposal_-_Sending_a_Message.JPG
NHIN_Direct_-_Convergence_Proposal_-_Receiving_a_Message.JPG

Thursday, June 17, 2010

Health IT - "Every provider, every patient will benefit"

National Coordinator for Health IT David Blumenthal has sent the strongest signal yet that requirements aren't likely to relax substantially from the proposed rule.  His latest post makes the case that providers and healthcare organizations have a principled obligation to adopt Health IT as contemplated by HITECH.  Blumenthal asserts that "while large hospital networks and smaller providers may be stretched to meet national health IT goals, it is not beyond their capacity for growth."

Adoption of Health IT
by Dr. David Blumenthal

Introducing change in health care is never easy. Historically, adopting our most fundamental medical technologies, from the stethoscope to the x-ray, were met with significant doubt and opposition. So it comes as no surprise that in the face of change as transformational as the adoption of health IT – even though it carries the promise of vastly improving the nation’s health care – some hospitals and providers push back. I resisted using EHRs while an internist in Boston, as I wrote in my blog, “Why Be a Meaningful User.” Over time, however, I found that working with health IT made me a better and safer physician. Most importantly, my patients received better, safer care and improved outcomes.

There are thousands of stories like mine across the nation. The question health care providers are facing today is whether we are pushing too hard, too fast to make this important change. I respectfully submit, no. In turn, I ask, “Can we make these changes expeditiously enough?”

Americans deserve better health care than they are currently receiving, and they need it delivered more efficiently. Every provider, every patient throughout our nation will benefit from the goals envisioned by the HITECH Act. Yes, this will be a challenge. While large hospital networks and smaller providers may be stretched to meet national health IT goals, it is not beyond their capacity for growth.

Doctors and hospitals will not have to go it alone. Programs, such as our 60 Regional Extension Centers located throughout the United States, are working hard to ensure that providers have all the necessary resources to meet the challenge. The incentive program will then provide reimbursement to providers who have achieved meaningful use.

This is the time to realize the promise of health IT. Information technology has improved every aspect of our lives, we need to channel information technology to improve our health and care. Providing patients with improved quality and safety, more efficient care and better outcomes is paramount. Physicians who adhere to the oath of Hippocrates believe we must act with all deliberate haste. More than two thousand years later, we can’t forestall health care quality improvements, not when so many patients entrust their providers for the best care they can possibly deliver. As the saying goes, “If not now, when?”

Tuesday, June 8, 2010

MONAHRQ


The Agency for Healthcare Research and Quality (AHRQ) announced the launch of  MONARHQ:  My Own Network, Powered by AHRQ.  MONAHRQ software can be used by state and local data organizations, health systems, and payers to provide web access to quality and utilization indicators based on their inpatient administrative data.

"MONAHRQ analyzes, summarizes, and presents information in a format ready for use by consumers and other decision-makers on:

  • quality of care at the hospital level,
  • health care utilization at the hospital level,
  • preventable hospitalizations at the county level, and
  • rates of conditions and procedures at the county level.

Any organization with inpatient hospital administrative data can use MONAHRQ to generate their own Web site for internal use or public release.

Organizations host the new tool on their own Web server and populate it with their own hospital administrative data. The Web site generated by MONAHRQ is an interactive querying site that users can navigate to learn about health care in their area."

Thursday, June 3, 2010

Community Health Data Initiative

The Community Health Data Initiative was launched yesterday at a forum in Washington D.C., chaired by Institute of Medicine (IOM) President Harvey Fineberg and HHS Secretary Kathleen Sebelius. Data sources related to the initiative are available at HHS.gov/Open.  The brains behind this initiative: Chief Technology Officer Todd Park.




The HHS summary follows:

"The Community Health Data Initiative is a major new public-private effort that aims to help Americans understand health and health care performance in their communities -- and to help spark and facilitate action to improve performance.

The fundamental approach being taken by the initiative is to catalyze the advent of a network of community health data suppliers (starting with HHS) and “data appliers” who utilize that data to create applications that (1) raise awareness of community health performance, (2) increase pressure on decision makers to improve performance, and (3) help facilitate and inform action to improve performance.

The approach we’re taking has two parts.

First, we will be providing to the public, free of charge and without any intellectual property constraint, a Community Health Data Set harvested from across HHS – a wealth of easily accessible, standardized, structured, downloadable data on health care, health, and determinants of health performance at the national, state, regional, and county levels, as well as by age, gender, race/ethnicity, and income (where available). This data set will consist of hundreds (ultimately, thousands) of measures of health care quality, cost, access and public health (e.g., obesity rates, smoking rates, etc.), including data produced for the Community Health Status Indicators, County Health Rankings, and State of the USA programs.

It will include a major contribution of new national, state, regional, and potentially county-level Medicare prevalence of disease, quality, cost, and utilization data from the Centers for Medicare and Medicaid Services (CMS), never previously published, as well as data for measures tracked by Healthy People 2020. And it will include information on evidence-based programs and policies that have successfully improved community performance across many of these measures.

While the initial Community Health Data Set is a set of data files downloadable from a webpage, we will be deploying a new data warehouse and web portal to deliver it with maximum efficiency (including exposing the data via a web service) by the end of 2010. The data warehouse and portal are currently under development at the National Center for Health Statistics.

Second, working with a growing array of technology companies, researchers, health advocates, employers, media, consumer advocates, marketers, providers, etc., we are seeking to identify the uses of this data that would do the most to raise awareness of health performance, help motivate civic leaders and citizens to improve performance, and help improvers do the improving. Potential examples include:

Interactive health maps on the web that allow citizens to understand health performance in their area vs. others with tremendous ease and clarity

  • “Dashboards” that enable mayors and other civic leaders to track and publicize local health performance and issues
  • Social networking applications that allow health improvement leaders to connect with each other, compare performance, share best practices, and challenge each other
  • Competitions regarding how communities can innovate to improve health performance
  • Viral online games that help educate people about community health
  • Utilization of community health data to help improve the usefulness of results delivered by web search engines when people do health-related searches and further raise awareness of community health performance
  • Integration of community health-related data into new venues, such as real estate websites, which could be highly effective disseminators of such information
  • Etc.

Through this dialogue, the public-private Community Health Data Initiative team is recruiting companies, nonprofit organizations, advocacy groups, and innovators of all stripes to utilize the data HHS is providing and develop applications for the public along the lines of the above – and also provide feedback on what data going forward would be most useful for HHS to supply.

The objective is not only to deploy the HHS Community Health Data Set, but also to trigger the creation and use of an ever-growing array of new applications that increase awareness of community health performance and spark action to improve performance – with the ultimate metric of success being improvement in the very health measures that are being surfaced via the data set.

In sum, the Community Health Data Initiative is working to leverage the power of transparency, participation, and collaboration to improve community health. It’s not an initiative owned by any one organization. It’s an American initiative, embodying the spirit of commonwealth and which will enable us to do things that can only be done when we all work together

And it’s an initiative for which we also plan to share our core methodologies and program materials with other agencies across the government who have already begun to express interest in replicating this approach in other sectors.
Government Plan

The objective is not only to deploy the HHS Community Health Data Set, but also to trigger the creation and use of an ever-growing array of new applications that increase awareness of community health performance and spark action to improve performance – with the ultimate metric of success being improvement in the very health measures that are being surfaced via the data set.

In sum, the Community Health Data Initiative is working to leverage the power of transparency, participation, and collaboration to improve community health. It’s not an initiative owned by any one organization. It’s an American initiative, embodying the spirit of commonwealth and which will enable us to do things that can only be done when we all work together.

And it’s an initiative for which we also plan to share our core methodologies and program materials with other agencies across the government, who have already begun to express interest in replicating this approach in other sectors."

Tuesday, June 1, 2010

e-Prescribing for Controlled Substances

The DEA published the following FAQ's for electronic prescriptions for controlled substances by practitioners.  Highlights follow:

Questions and Answers for Prescribing Practitioners

Q. What is DEA’s rule “Electronic Prescriptions for Controlled Substances?”
A. DEA’s rule, “Electronic Prescriptions for Controlled Substances” revises DEA’s regulations to provide practitioners with the option of writing prescriptions for controlled substances electronically. The regulations will also permit pharmacies to receive, dispense, and archive these electronic prescriptions. The rule was published in the Federal Register Wednesday, March 31, 2010 and becomes effective on June 1, 2010.

Q. Is the use of electronic prescriptions for controlled substances mandatory?
A. No, the new regulations do not mandate that practitioners prescribe controlled substances using only electronic prescriptions. Nor do they require pharmacies to accept electronic prescriptions for controlled substances for dispensing. Whether a practitioner or pharmacy uses electronic prescriptions for controlled substances is voluntary from DEA’s perspective. Prescribing practitioners are still able to write, and manually sign, prescriptions for schedule II, III, IV, and V controlled substances and pharmacies are still able to dispense controlled substances based on those written prescriptions. Oral prescriptions remain valid for schedule III, IV, and V controlled substances. Electronic prescriptions for controlled substances are only permissible if the electronic prescription and the pharmacy application meet DEA’s requirements. In addition, electronic prescriptions for controlled substances may be subject to state laws and regulations. If state requirements are more stringent than DEA’s regulations, the state requirements would supersede any less stringent DEA provision.

Q. When can a practitioner start issuing electronic prescriptions for controlled substances?
A. A practitioner will be able to issue electronic controlled substance prescriptions only when the electronic prescription or electronic health record (EHR) application the practitioner is using complies with the requirements in the interim final rule.

Q. How will a practitioner be able to determine that an application complies with DEA’s rule?
A. The application provider must either hire a qualified third party to audit the application or have the application reviewed and certified by an approved certification body. The auditor or certification body will issue a report that states whether the application complies with DEA’s requirements and whether there are any limitations on its use for controlled substance prescriptions. (A limited set of prescriptions require information that may need revision of the basic prescription standard before they can be reliably accommodated, such as hospital prescriptions issued to staff members with an identifying suffix.) The application provider must provide a copy of the report to practitioners who use or are considering use of the electronic prescription application to allow them to determine whether the application is compliant with DEA’s requirements.

Q. Until a practitioner has received an audit/certification report from the application provider indicating that the application meets DEA's requirements, how can the electronic prescription application or electronic health record application be used to write controlled substances prescriptions?
A. Nothing in this rule prevents a practitioner or a practitioner's agent from using an existing electronic prescription or EHR application that does not comply with the interim final rule to prepare and print a controlled substance prescription, so that EHR and other electronic prescribing functionality may be used. Until the application is compliant with the final rule, however, the practitioner will have to print the prescription for manual signature. Such prescriptions are paper prescriptions and subject to the existing requirements for paper prescriptions.

Individual Practitioners: Getting Started

(Note: The questions and responses below assume that the practitioner is an individual practitioner (e.g., physician, dentist, veterinarian, nurse practitioner) and is a DEA registrant lawfully permitted to prescribe controlled substances. The practitioner may be a member of a group practice. They further assume that the practitioner has received an audit or certification report from the application provider of the practitioner’s software used to create prescriptions for controlled substances that indicates the application meets DEA’s requirements.)

Q. Is identity proofing of individual prescribing practitioners required. If so, who will conduct it?
A. Yes, identity proofing is critical to the security of electronic prescribing of controlled substances. Authentication credentials used to sign controlled substance prescriptions may be issued only to individuals whose identity has been confirmed. Individual practitioners will be required to apply to certain Federally approved credential service providers (CSPs) or certification authorities (CAs) to obtain their two-factor authentication credential or digital certificate. The CSP or CA will be required to conduct identity proofing that meets National Institute of Standards and Technology Special Publication 800-63-1 Assurance Level 3. Both in person and remote identity proofing will be acceptable.

Q. If a practitioner wants to undergo identity proofing to prescribe controlled substances, how is this accomplished?
A. DEA expects application providers will work with CSPs or CAs to direct practitioners to one or more sources of two-factor authentication credentials that will be interoperable with their applications. Prescribing practitioners may wish to contact their application provider to determine which CSP or CA the provider recommends the practitioner use. The specifics of each application will determine what kind of two-factor credential will be needed.

Q. Is remote identity proofing permissible?
A. Yes, the rule permits both in-person and remote identity proofing. DEA believes that the ability to conduct remote identity proofing allowed for in National Institute of Standards and Technology Special Publication 800-63-1 Level 3 will ensure that practitioners in rural areas will be able to obtain an authentication credential without the need for travel.

Q. Once a practitioner has undergone identity proofing, will the practitioner receive something?
A. The CSP or CA that conducted the identity proofing of the practitioner may issue a new hard token or register and provide credentials for an existing token. Regardless of whether a new token is provided and activated, an existing token is registered, or a biometric is used for the signing of controlled substance prescriptions, communications between the CSP or CA and practitioner applicant must occur through two channels (e.g., mail, telephone, e-mail).

Q. Why is DEA requiring the use of two-factor authentication credentials?
A. Two-factor authentication (two of the following – something you know, something you have, something you are) protects the practitioner from misuse of his/her credential by insiders as well as protecting him/her from external threats because the practitioner can retain control of a biometric or hard token. Authentication based only on knowledge factors is easily subverted because they can be observed, guessed, or hacked and used without the practitioner’s knowledge.

Q. What two-factor credentials will be acceptable?
A. Under the interim final rule, DEA is allowing the use of two of the following – something you know (a knowledge factor), something you have (a hard token stored separately from the computer being accessed), and something you are (biometric information). The hard token, if used, must be a cryptographic device or a one-time password device that meets Federal Information Processing Standard 140-2 Security Level 1.

Q. What is a hard token?
A. A hard token is a cryptographic key stored on a hardware device (e.g., a PDA, cell phone, smart card, USB drive, one-time password device) rather than on a general purpose computer. A hard token is a tangible, physical object possessed by an individual practitioner.

Q. Is it permissible for an individual practitioner to have the office manager or other staff maintain custody of the individual practitioner’s hard token?
A. No, the practitioner must retain sole possession of the hard token, where applicable, and must not share the password or other knowledge factor with any other person. The practitioner must not allow any other person to use the token or enter the knowledge factor or other identification means to sign prescriptions for controlled substances. Failure by the practitioner to secure the hard token or knowledge factor may provide a basis for revocation or suspension of the practitioner’s DEA registration.

Q. If an individual practitioner wants to use a biometric as one factor of the two-factor authentication credential, does DEA have any special requirements?
A. DEA is establishing several standards for the use of biometrics and for the testing of the software used to read the biometrics. DEA wishes to emphasize that these standards do not specify the types of biometrics that may be acceptable. Any biometric that meets the criteria DEA has specified may be used as the biometric factor in a two-factor authentication credential used to indicate that prescriptions are ready to be signed and sign controlled substance prescriptions. The use of biometrics as one factor in the two-factor authentication protocol is strictly voluntary, as is all electronic prescribing of controlled substances.

Q. Does an individual practitioner need separate authentication credentials if the practitioner has more than one DEA registration?
A. No, a single authentication credential can be used. The practitioner or the practitioner’s agent must, however, select the appropriate DEA registration number when the prescription is created.

Q. If an individual practitioner uses more than one application to create and sign controlled substance prescriptions, will the practitioner need to undergo identity proofing for each and obtain separate credentials for each?
A. Whether the individual practitioner needs to undergo identity proofing and obtain separate credentials for separate applications will depend on the requirements of the applications. It is likely that if a practitioner has privileges at one or more hospitals, the hospitals will require separate credentials to use their applications.

Q. Once a practitioner possesses the two-factor credential, is the practitioner ready to sign controlled substance prescriptions?
A. No, there is another step that must be taken. Any application that meets DEA’s requirements will require the practice to set access controls so that only individuals legally authorized to sign controlled substance prescriptions are allowed to do so. The application will determine whether access control is set by name or by role. If the logical access controls are role-based, one or more roles will have to be limited to individuals authorized to prescribe controlled substances. This role may be labeled “DEA registrant” or physician, dentist, nurse practitioner, etc.

Q. How are access controls set?
A. Setting access controls requires two people. One person must determine which individuals are authorized to sign controlled substance prescriptions and enter those names or assign those names to a role that is allowed to sign controlled substance prescriptions. A DEA registrant must then use his/her two-factor credential to execute the access control list. The access control list will need to be updated when registrants join or leave a practice.

Q. Who has to determine whether a prescribing practitioner’s DEA registration is current and in good standing?
A. A person at the practice who is setting access control has to check to be sure that each practitioner being granted authorization to sign controlled substances prescriptions has a DEA registration, state authorization to practice and, where applicable, state authorization to dispense controlled substances that are still current and in good standing. DEA expects this will be done simply by checking the latest certificates.

Institutional Practitioners: Getting Started
(Note: The questions and responses below assume that the practitioner is an institutional practitioner (e.g., a hospital or clinic) and is a DEA registrant lawfully permitted to prescribe controlled substances. They further assume that the practitioner has received an audit or certification report from the application provider of the practitioner’s software used to create prescriptions for controlled substances that indicates the application meets DEA’s requirements.)

Q. Is identity proofing required for any individual practitioner whom the institutional practitioner is granting access to issue prescriptions using the institution’s electronic prescribing application? If so, who will conduct it?
A. Yes, as identity proofing is critical to the security of electronic prescribing of controlled substances. Authentication credentials used to sign controlled substance prescriptions are issued only to individuals whose identity has been confirmed. DEA is allowing institutional practitioners, who are DEA registrants, to conduct the identity proofing for any individual practitioner whom the institutional practitioner is granting access to issue prescriptions using the institution’s electronic prescribing application. Because institutional practitioners have credentialing offices, those offices may conduct in-person identity proofing as part of the credentialing process. DEA is not requiring institutional practitioners to meet the requirements of National Institute of Standards and Technology Special Publication 800-63-1 for identity proofing. Before the institutional practitioner issues the authentication credential, a person designated by the institutional practitioner must check the individual practitioner’s government-issued photographic identification against the person presenting it. The institutional practitioner must also check State licensure and DEA registrations, where applicable.

Q. Is an institutional practitioner required to conduct identity proofing in this manner?
A. No, institutional practitioners are allowed, but not required, to conduct identity proofing. If an institutional practitioner decides to have each practitioner obtain identity proofing and the two-factor authentication credential on his own, as other individual practitioners do, that is permissible under the rule.

Q. For an institutional practitioner, is remote identity proofing permissible?
A. The rule only allows institutional practitioners to conduct in-person identity proofing. Remote identity proofing is not permissible for institutional practitioners.

Q. For an institutional practitioner, how is the two-factor authentication credential issued?
A. Under the rule, the institutional practitioner may issue the two-factor authentication credentials or obtain them from a third party which will have to be a CSP or CA that meets the criteria DEA has specified. In the latter case, the institutional practitioner could have each practitioner apply for the two-factor credential himself, which would entail undergoing identity proofing by the CSP or CA. Alternatively, the institutional practitioner can serve as a trusted agent for the third party. Trusted agents conduct part of the identity proofing on behalf of the CSP or CA and submit the information for each person along with a signed agreement that specifies the trusted agent’s responsibilities.

Q. Why is DEA requiring the use of two-factor authentication credentials?
A. Two-factor authentication (two of the following – something you know, something you have, something you are) protects the practitioner from misuse of his/her credential by insiders as well as protecting him/her from external threats because the practitioner can retain control of a biometric or hard token. Authentication based only on knowledge factors is easily subverted because they can be observed, guessed, or hacked and used without the practitioner’s knowledge.

Q. What two-factor credentials will be acceptable?
A. Under the interim final rule, DEA is allowing the use of two of the following – something you know (a knowledge factor), something you have (a hard token stored separately from the computer being accessed), and something you are (biometric information). The hard token, if used, must be a cryptographic device or a one-time-password device that meets Federal Information Processing Standard 140-2 Security Level 1.

Q. What is a hard token?
A. A hard token is a cryptographic key stored on a hardware device (e.g., a PDA, cell phone, smart card, USB drive, one-time password device) rather than on a general purpose computer. A hard token is a tangible, physical object possessed by an individual practitioner.

Q. Is it permissible for a practitioner to have another staff person at the institutional practitioner maintain custody of the hard token?
A. No, the practitioner must retain sole possession of the hard token, where applicable, and must not share the password or other knowledge factor with any other person. The practitioner must not allow any other person to use the token or enter the knowledge factor or other identification means to sign prescriptions for controlled substances.

Q. If an institutional practitioner wants to use a biometric as one factor of the two-factor authentication credential issued to persons prescribing controlled substances, does DEA have any special requirements?
A. DEA is establishing several standards for the use of biometrics and for the testing of the software used to read the biometrics. DEA wishes to emphasize that these standards do not specify the types of biometrics that may be acceptable. Any biometric that meets the criteria DEA has specified may be used as the biometric factor in a two-factor authentication credential used to indicate that prescriptions are ready to be signed and sign controlled substance prescriptions. The use of biometrics as one factor in the two-factor authentication protocol is strictly voluntary, as is all electronic prescribing of controlled substances.

Q. Are any additional steps needed to give practitioners the ability to sign controlled substance prescriptions?
A. Yes, once a person’s identity has been confirmed by the credentialing office and a two-factor credential has been issued, another office must set access controls. The application must have the ability to assign permissions by name or role so that only authorized practitioners are allowed to sign controlled substance prescriptions. Two individuals must be involved in setting the access controls; one will enter the data based on information from the credentialing office and the second will approve the entry.

Accessing the Electronic Prescription Application or Electronic Health Record Application to Sign Controlled Substance Prescriptions
Q. When must a practitioner’s permission to indicate that controlled substance prescriptions are ready to be signed and sign controlled substance prescriptions be revoked?
A. A practitioner’s permission to indicate that controlled substance prescriptions are ready to be signed and to sign controlled substance prescriptions must be revoked whenever any of the following occurs, on the date it is discovered:
  • If a hard token or any other authentication factor required by the two-factor authentication protocol is lost, stolen, or compromised. Such access must be terminated immediately upon receiving notification from the individual practitioner.
  • The individual practitioner’s DEA registration expires, unless the registration has been renewed.
  • For individual practitioners prescribing controlled substances under the registration of an institutional practitioner, when the institutional practitioner’s DEA registration expires, unless the registration has been renewed.
  • The individual practitioner’s DEA registration is terminated, revoked, or surrendered.
  • For individual practitioners prescribing controlled substances under the registration of an institutional practitioner, when the institutional practitioner’s DEA registration is terminated, revoked, or surrendered.
  • The individual practitioner is no longer authorized to use the electronic prescription application (e.g., when the individual practitioner leaves the practice).
  • When an individual practitioner is no longer authorized to use the institutional practitioner’s electronic prescription application (e.g., when the individual practitioner is no longer associated with the institutional practitioner).
Creating and Signing Prescriptions
Q. What information is an electronic prescription for a controlled substance required to contain?
A. As with paper prescriptions, all electronic prescriptions for controlled substances are required to contain the full name and address of the patient, drug name, strength, dosage form, quantity prescribed, directions for use, and the name, address and registration number of the practitioner. The prescription shall be dated as of the day when signed and shall be signed by the practitioner using his/her two-factor authentication credential. Where applicable, refill information must also be included, as well as any other information required by DEA regulations.

Q. Is a practitioner required to review a prescription before signing it?
A. All controlled substances must be reviewed by the prescribing practitioner. The practitioner must affirmatively indicate those prescriptions that are ready to be signed. A practitioner has the same responsibility when issuing an electronic prescription as when issuing a paper prescription to ensure that the prescription conforms in all respects with the requirements of the Controlled Substances Act and DEA regulations. This responsibility applies with equal force regardless of whether the prescription information is entered by the practitioner or a member of his staff.

Q. When a practitioner reviews a prescription, what information must be displayed?
A. All information required of any controlled substance prescription must be displayed, except for the patient’s address. However, the patient’s address must be part of the elements of the prescription that are digitally signed by the practitioner or the application and transmitted to the pharmacy.

Q. Must a practitioner separately attest to each prescription?
A. No, the application must include, on the prescription review screen, the following statement or its substantial equivalent: “By completing the two-factor authentication protocol at this time, you are legally signing the prescription(s) and authorizing the transmission of the above information to the pharmacy for dispensing. The two-factor authentication protocol may only be completed by the practitioner whose name and DEA registration number appear above.” However, no keystroke is required to acknowledge the statement.

Q. Is it permissible to have a staff person in the practitioner’s office complete all of the required information for a controlled substance prescription and then have the practitioner review, sign, and authorize the transmission of the prescription?
A. Yes, however, if an agent of the practitioner enters information at the practitioner’s direction prior to the practitioner reviewing and approving the information, the practitioner is responsible in the event the prescription does not conform in all essential respects to the law and regulations.

Q. How will the two-factor credential be used?
A. The practitioner will use the two-factor credential to sign the prescription; that is, using the two-factor credential will constitute the legal signature of the DEA-registered prescribing practitioner. When the credential is used, the application must digitally sign and archive at least the DEA-required information contained in the prescription.

Q. May a practitioner use his/her own digital certificate to sign an electronic controlled substance prescription?
A. Yes, the interim final rule allows any practitioner to use his/her own digital certificate to sign electronic prescriptions for controlled substances. If the practitioner and his/her application provider wish to do so, the two-factor authentication credential can be a digital certificate specific to the practitioner that the practitioner obtains from a certification authority that is cross-certified with the Federal Bridge Certification Authority at the basic assurance level.

Q. How is an electronic controlled substance prescription signed?
A. The prescribing practitioner whose name and DEA registration number appear on the prescription must indicate those controlled substance prescriptions that are ready to be signed. When the registrant indicates that one or more prescriptions are to be signed, the application must prompt him/her to begin a two-factor authentication protocol. Completion of the two-factor authentication protocol legally signs the prescription(s).

Q. Will a practitioner be allowed to simultaneously issue multiple prescriptions for multiple patients with a single signature?
A. A practitioner is not permitted to issue prescriptions for multiple patients with a single signature.

Q. If a practitioner is signing more than one controlled substance prescription for a single patient, how many executions of the two-factor authentication protocol are required?
A. Each controlled substance prescription will have to be indicated as ready for signing, but execution of a single two-factor authentication protocol can then sign all prescriptions for a given patient.

Q. Once an electronic controlled substance prescription is signed, must it be transmitted to the pharmacy immediately?
A. No, signing and transmitting an electronic controlled substance prescription are two distinct actions. Electronic prescriptions for controlled substances should be transmitted as soon as possible after signing, however, it is understood that practitioners may prefer to sign prescriptions before office staff add pharmacy or insurance information. Therefore, DEA is not requiring that transmission of the prescription occur simultaneously with signing the prescription.

Other Issues
Q. If a mid-level practitioner practices in a state that requires the controlled substance prescription to contain the mid-level practitioner’s supervisor’s DEA number as well as the mid-level practitioner’s DEA number, is this possible with electronic controlled substance prescriptions?
A. Multiple DEA numbers can appear on a single prescription, if required by state law or regulations, provided that the electronic prescription application clearly identifies which practitioner is the prescriber and which is the supervisor.

Q. Practitioners who work in a group practice with multiple practitioners may have all of the practitioners’ names printed on the practice’s prescription pads. Can all of the practitioners’ names appear on the practice’s electronic controlled substance prescriptions?
A. No, for electronic prescriptions, only one prescribing practitioner’s name and DEA number will appear. If a practitioner needs to sign a prescription originally created and indicated as ready for signing by another practitioner in a practice, he/she must change the practitioner name and DEA number to his/her own. The only exception to this rule is if required by state law or regulations, multiple DEA numbers can appear on a single prescription provided that the electronic prescription application clearly identifies which practitioner is the prescriber and which is the supervisor.

Q. Can a qualified practitioner who prescribes schedules III, IV, and V narcotic controlled drugs approved by the Food and Drug Administration specifically for use in maintenance or detoxification treatment use electronic prescriptions for controlled substances for this purpose?
A. Yes, a qualified practitioner may use electronic prescriptions for controlled substances to prescribe schedules III, IV, and V narcotic controlled drugs approved by the Food and Drug Administration specifically for use in maintenance or detoxification treatment if the audit or certification report the practitioner receives from the application provider specifically states that the application meets DEA’s requirements for those prescriptions.

Q. How can a practitioner obtain his/her prescribing history?
A. DEA is requiring that the electronic prescription application be able to generate a log, upon request by the practitioner, of all electronic prescriptions for controlled substances the practitioner issued using the application over at least the preceding two years. This log is required to be sortable at least by patient name, drug name, and date of issuance.

Transmitting Prescriptions to the Pharmacy and Printing Prescriptions
Q. What is an intermediary?
A. An intermediary means any technology system that receives and transmits an electronic prescription between the practitioner and the pharmacy.

Q. If transmission of an electronic prescription fails, may the intermediary convert the electronic prescription to another form (e.g. facsimile) for transmission?
A. No, an electronic prescription must be transmitted from the practitioner to the pharmacy in its electronic form. If an intermediary cannot complete a transmission of a controlled substance prescription, the intermediary must notify the practitioner. Under such circumstances, if the prescription is for a schedule III, IV, or V controlled substance, the practitioner can print the prescription, manually sign it, and fax the prescription directly to the pharmacy. This prescription must indicate that it was originally transmitted to, and provide the name of, a specific pharmacy, the date and time of transmission, and the fact that the electronic transmission failed.

Q. What are the DEA requirements regarding the storage of electronic prescription records?
A. Once a prescription is created electronically, all records of the prescription must be retained electronically. As is the case with paper prescription records, electronic controlled substance prescription records must be kept for a minimum period of two years.

Reporting Security Incidents

Q. Is a person who administers logical access controls required to report security incidents?
A. Yes, the application is required to run an internal audit for potential security incidents daily and generate a report of any such incidents. If the application generates a report and, upon investigation, the person(s) designated to administer logical access controls for the practice or institutional practitioner determines that the issuance or records of controlled substance prescriptions has been compromised or could have been compromised, it must be reported to the application provider and DEA within one business day. In general, the security incidents that should be reported are those that represent successful attacks on the application or other incidents in which someone gains unauthorized access.