Governmental Health IT Initiatives

VI. Key Issues: Financing and Delivery >> A. Health Spending >> Health Cost Containment  >> Improve Administration >>  Health IT >> Governmental Health IT Initiatives (last updated 7.10.17)
Lead Editor: Dana Beezley-Smith, Ph.D.


This page (under construction) addresses various federal, state, and community initiatives to gather, analyze, and digitally share Americans’ health information. Such efforts are designed to improve population health and prevent disease. Some programs were started years prior to the 1996 Health Insurance Portability and Accountability Act (HIPAA) and the 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act. Other projects are new under HIPAA, HITECH, and the 2010 Affordable Care Act (ACA), while still other programs have expanded health data collection, exchange, analysis, and research in response to these three pieces of legislation.

Health Information Exchange (HIE)

Creation of the Office of the National Coordinator for Health Information Technology (ONC)


In 2004, President Bush issued an executive order “to provide leadership for the development and nationwide implementation of an interoperable health information technology infrastructure to improve the quality and efficiency of health care.” The Office of the National Coordinator (ONC) was established to advance an agenda “for the majority of Americans to have access to electronic health records (EHRs) by 2014.” The ONC was tasked with coordinating interoperable health IT architecture for the nation in support of patient-focused health care and population health.

Expansion of ONC Oversight Activities

The 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act legislatively mandated and expanded the role of the ONC and allocated billions of dollars for efforts to expand health IT and information exchange. The Affordable Care Act “builds on the HITECH Act and recognizes health IT as a critical enabler to broad transformations in health care.” ONC describes the office as “at the forefront of the administration’s health IT efforts and is a resource to the entire health system to support the adoption of health information technology and the promotion of nationwide health information exchange to improve health care.”

Federal Health Information Technology Strategic Plan (ONC)

Previous Federal Health IT Strategic Plans

  • The Federal Health Information Technology Strategic Plan: 2008 – 2012
  • The Federal Health Information Technology Strategic Plan: 2011 2015

Federal Health IT Strategic Plan: 2015 – 2020


Office of the National Coordinator for Health Information Technology (ONC). (December, 2014) “Since 2011, the health IT ecosystem has changed. As of June 2014, 75 percent (403,000+) of the nation’s eligible professionals and 92 percent (4,500+) of eligible hospitals received incentive payments from the EHR Incentive Programs. Innovation also occurred in mobile health applications and other health technologies. HHS’ 2014 Report to Congress on Health IT Adoption and Exchange highlights federal efforts across the government to advance health IT adoption and exchange. Additionally, passage of the Affordable Care Act (ACA) has also directed federal efforts toward ensuring health IT can support higher quality, more affordable care, delivered in efficient ways.
“Health information technology (health IT) allows individuals and health care entities and providers, home- and community-based supports, and public health entities to electronically collect, share, and use health information… The Federal Health IT Strategic Plan 2015-2020 (Plan) identifies the federal government’s health IT priorities. While this Plan focuses on federal strategies, achieving the vision and goals requires collaboration from state, local, and tribal governments.” The Roadmap is reflected in this graphic.



  • Feds Release Strategic Health IT Plan. “The document, now open for public comment, presents the broad federal strategy which sets the context and framing of the Nationwide Interoperability Roadmap to be released in early 2015. With the first national health IT interoperability roadmap imminent, the 2015–2020 Federal Health IT Strategic Plan is doubling down on making incompatible information systems collect, share and use health data with each other.” (Health Leaders Media, 12.9.14)
  • Feds Plan for 35 Agencies to Help Collect, Share, Use Electronic Health Info. “The Department of Health and Human Services (HHS) announced the release of the Federal Health IT Strategic Plan 2015-2020, which details the efforts of some 35 departments and agencies of the federal government and their roles in the plan to ‘advance the collection, sharing, and use of electronic health information to improve health care, individual and community health, and research.’ (The Weekly Standard, 12.9.14) The plan is illustrated with the following graphic and list of all federal departments and agencies involved in the effort.unnamed-1_10unnamed-1_8.preview
  • Roll Back the Federal 10-Year Strategic Plan for Health Information Technology: Statement for the Record. “A 2014 report for the RAND Corporation also concluded the federal [HITECH] money was invested poorly: ‘Unfortunately, the rules that the U.S. Department of Health and Human Services (HHS) issued to guide implementation of HITECH watered down the requirement for connectivity. The practical effect was to promote adoption of existing platforms, rather than encourage the development of interconnected systems. Although large vendors and many health care systems welcomed this decision, it was criticized by others. By subsidizing “where the industry” is rather than where it needed to go, HHS rule-makers allowed hospitals and health care providers to use billions in federal subsidies to purchase EHRs that did not have the level of connectivity envisioned by the authors of the HITECH act.’…As HIT expands in unpredictable directions, the federal government should exert a humble and light regulatory touch; and refrain from the temptation to spend more money to encourage the types of technologies preferred by the government, instead of patients and providers. The billions of dollars in capital being invested in HIT must be allowed to find their own course to success.” Graham, John R. (NCPA, 3.17.15)

Federal Ten-Year Interoperability Roadmap

Connecting Health and Care for the Nation: A 10-Year Vision to Achieve an Interoperable Health IT Infrastructure. (ONC, June 2014) According to the ONC, while the Federal Health IT Strategic Plan focuses on federal efforts, the Interoperability Roadmap “details the policy, technology and behavioral changes that public and private stakeholders must make to achieve nationwide interoperability.”

  • ONC Officials Detail EHR Data-Sharing Goals. “‘We are serious that we want to hear your thoughts,’ said Karen DeSalvo, MD, MPH, national coordinator for health information technology, at the ONC’s annual meeting, held here February 2. ‘This is not something that the federal government should do alone, or can do alone,” she said, adding that it was important for clinicians, payers, consumers, states, and the private sector to each play a role. ‘It has to be inclusive, and we have to meet deadlines because the country is impatient, as are all of you when you show up in a clinical environment,’ said Dr DeSalvo. The ‘roadmap’ sets 3-, 6-, and 10-year goals. The first target is for a majority of individuals and health care providers to be able to send, receive, find, and use a common set of electronic clinical information by the end of 2017…The roadmap envisions a ‘core set of building blocks’ that are needed to achieve interoperability, including establishing technical standards to allow for common exchange of clinical information, better certification of health information technology products, privacy and security protections, supportive business, clinical, cultural, and regulatory environments, and clearly defined rules of engagement and governance.” (Medscape Medical News, 2.3.15).
  • Redirecting ONC’s Interoperability Roadmap. “The draft interoperability roadmap released by the Office of the National Coordinator for Health IT contains so many details in its 166-pages that has been called ‘meaningful use on steroids.’ The roadmap draft appeared in late January to coincide with the ONC National Meeting, which focused largely on interoperability… Golder senses a shift in tone away from the meaningful use that has preoccupied healthcare organizations and putting emphasis back on interoperability… ‘It has moved along from the era of EHR adoptions to the era of impatience,’ he said. ‘Tremendous investment has been made in IT systems, EHRs and medical devices. They’ve got the data flowing, but with consolidation of provider organizations, they need a clean installation of IT across these newly formed systems.’” (Healthcare It News, 4.23.15)
  • Nonfederal Efforts to Help Achieve Health Information Interoperability. “Stakeholders and initiative representatives GAO interviewed described five key challenges to achieving EHR interoperability, which are consistent with challenges described in past GAO work. Specifically, the challenges they described are (1) insufficiencies in health data standards, (2) variation in state privacy rules, (3) accurately matching patients’ health records, (4) costs associated with interoperability, and (5) the need for governance and trust among entities, such as agreements to facilitate the sharing of information among all participants in an initiative. Representatives from the 18 initiatives GAO reviewed said they are working to address these key challenges using different approaches. Each key challenge is in the process of being addressed by some initiatives. To move interoperability forward, initiative representatives noted, among other issues, that providers need to see an EHR system as a valuable tool for improving clinical care.” (General Accountability Office, September 2015)
  • Analyzing ONC’s Interoperability Roadmap. “The protection of patients’ health data is a fundamental principle deeply woven throughout federal regulators’ new 10-year roadmap for interoperable health data exchange. While some experts say the plan is on the right track, others say more work is needed…’A few areas of the roadmap were disappointing or concerning,’ he says. ‘The roadmap sets expectations for vendors to step up to help achieve interoperability. Most EHR vendors still are providing products that do not support encrypting their databases at rest.’… Among other things, the roadmap calls for more harmonization of state and federal laws and recommends technology vendors implement technical standards for capturing, collecting and communicating patient consent.” (GovInfoSecurity, 10.8.15)
  • ONC Cites Security, Incentive Woes Among 5 Biggest Interoperability Roadblocks. “Substantial interoperability has yet to be achieved across healthcare, a recent report to Congress from the Office of the National Coordinator’s Health IT Policy Committee shows, held up by reasons including lack of standardization and security concerns. Here are the five major roadblocks to more widespread data sharing, according to the ONC:
    • Lack of universal standards-based EHR systems’ adoption. True health information exchange won’t happen until a critical majority of providers have installed and are successfully capable using EHRs.
    • Impact on providers’ day-to-day workflow. Technology has reached the capability of making interoperability possible, but process innovation has yet to catch up.
    • Complex privacy and security challenges associated with widespread HIE.
    • Need for synchronous collective action among multiple stakeholders.
    • Weak or misaligned incentives. Economic incentives for interoperability can discourage providers. And traditional fee-for-service payment models aren’t enough to persuade providers the extra work is worth it. EHR developers have focused more on a fee-for-service model in the past, thus lowering the demand for interoperability.” (Healthcare IT News, 12.17.15)

Public Health Surveillance Programs

Health Insurance Portability and Accountability Act (HIPAA)


HIPAA, the Health Insurance Portability and Accountability Act of 1996, was primarily aimed at providing workers with easier ways to continue their health insurance coverage when changing jobs. An area of special consideration was the transfer or portability of patient records. The easiest way to make data transfers is electronically, and the most common is via electronic mail. However, since email is not a secure form of communication, legislators added language to ensure the confidentiality of patient information when stored or sent electronically, which became the first attempt to address email confidentiality.
In response to the Health Insurance Portability and Accountability Act (HIPAA), The Department of Health and Human Services issued regulations titled Standards for Privacy of Individually Identifiable Health Information. For most covered entities, compliance with these regulations, known as the Privacy Rule, was required as of April 14, 2003. (NIH, 2004)
The Institute for Health Freedom has estimated that there are more than 2.2 million entities legally permitted to electronically share health information under HIPAA.

Protected Health Information (PHI)

The Privacy Rule established a category of health information, referred to as Protected Health Information (PHI) which may be used or disclosed to others in certain circumstances or under certain conditions. PHI is a subset of what is termed Individually Identifiable Health Information (IIHI) (NIH, 2004).
The privacy rule protects all IIHI stored or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information “protected health information (PHI).  This includes common demographic information such as name, street address, telephone number, date of birth, social security number, etc.  PHI also includes past, present or future information about the individuals physical or mental health condition, payment status and provision of health care.

Covered Entities

CMS has provided a flow sheet to help determine who is a covered entity. The Administrative Simplification standards adopted by Health and Human Services (HHS) under HIPAA apply to any entity that is:

  • a health care provider conducting certain standard transactions in electronic form (called a “covered health care provider”).
  • a health care clearinghouse.
  • a health insurance plan.

“Certain standard transactions” include those involving:

  • claims and encounter information
  • payment and remittance advice
  • claims status
  • eligibility
  • enrollment and disenrollment
  • requests to obtain referral certifications and authorizations
  • coordination of benefits
  • premium payment

Transactions of paper via facsimiles and voice via telephone are not electronic transactions because the information did not exist in digital format before transmission. Data sent by email and through the internet, even if scanned into a pdf file, is an electronic transmission.

Disclosure of PHI to Covered Entities

With certain exceptions, the Privacy Rule applies to individually identifiable health information created or maintained by a covered entity. The Privacy Rule also permits covered entities to use and disclose PHI for purposes of treatment, payment, and health care operations without authorization. (NIH, 2004).

Disclosure of PHI to Business Associates

The Privacy Rule also permits disclosures to business associates. Business associates are individuals or entities that perform certain functions or services on behalf of the covered entity that require the use or disclosure of PHI, provided certain arrangements to safeguard the PHI are in place between the covered entity and the business associates. The Privacy Rule also permits, without authorization, covered entities to make a number of other disclosures of PHI, including disclosures required by law, disclosures to public health authorities authorized by law to collect or receive such information for public health activities, and disclosures for adverse event reporting to certain persons subject to the jurisdiction of the FDA (e.g., clinical trial drug sponsors) (NIH, 2004).

Disclosure of PHI to Researchers

  • According to the National Institutes of Health (6.22.04), HIPAA’s “Privacy Rule permits a covered entity to use or disclose PHI for research under the following circumstances and conditions:
    • If the subject of the PHI has granted specific written permission through an Authorization that satisfies section 164.508.
    • For reviews preparatory to research with representations obtained from the researcher that satisfy section 164.512(i)(1)(ii) of the Privacy Rule.
    • For research solely on decedents’ information with certain representations and, if requested, documentation obtained from the researcher that satisfies section 164.512(i)(1)(iii) of the Privacy Rule.
    • If the covered entity receives appropriate documentation that an IRB or a Privacy Board has granted a waiver of the Authorization requirement that satisfies section 164.512(i).
    • If the covered entity obtains documentation of an IRB or Privacy Board’s alteration of the Authorization requirement as well as the altered Authorization from the individual.
    • If the PHI has been de-identified in accordance with the standards set by the Privacy Rule at section 164.514(a)-(c) (in which case, the health information is no longer PHI).
    • If the information is released in the form of a limited data set, with certain identifiers removed and with a data use agreement between the researcher and the covered entity, as specified under section 164.514(e).
    • Under a ‘grandfathered’ informed consent of the individual to participate in the research, an IRB waiver of such informed consent, or Authorization or other express legal permission to use or disclose the information for research as specified under the transition provisions of the Privacy Rule at section 164.532(c).
    • The Privacy Rule also allows use of electronic health records of deceased subjects for research (HIPAA Privacy Rule (section 164.512(i)(1)(iii))).
  • Do the HIPAA Privacy Rule’s Requirements for Authorization and the Common Rule’s Requirements for Informed Consent Differ? “Yes. Under the Privacy Rule, a patient’s authorization is for the use and disclosure of protected health information for research purposes. In contrast, an individual’s informed consent, as required by the Common Rule and the Food and Drug Administration’s (FDA) human subjects regulations, is a consent to participate in the research study as a whole, not simply a consent for the research use or disclosure of protected health information. See our research section and frequently asked questions about the research provisions for more information about the Common Rule. For this reason, there are important differences between the Privacy Rule’s requirements for individual authorization, and the Common Rule’s and FDA’s requirements for informed consent. However, the Privacy Rule’s authorization elements are compatible with the Common Rule’s informed consent elements. Thus, both sets of requirements can be met by use of a single, combined form, which is permitted by the Privacy Rule.” (Department of Health and Human Services, 3.14.06)
  • How Does the HIPAA Privacy Rule Apply to Research? “Researchers frequently create, collect, use, and/or share individually identifiable health information to conduct  research. The HIPAA Privacy Rule defines research as “a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.”
    Researchers who are covered entities (health care providers, health plans, or clearinghouses) or business associates of such entities under HIPAA are subject to the HIPAA Privacy Rule. In general, covered entities must obtain the authorization of the individual who is the subject of the protected health information (PHI) in order to use it for purposes other than treatment, payment, health care operations, and other specific uses permitted by the Privacy Rule (e.g., law enforcement, threat to health or safety). As such, covered entities generally must obtain authorization prior to using PHI for research purposes. However, covered entities may obtain a waiver of the authorization requirement if the information will be used for research purposes and if approved by an Institutional Review Board (IRB) or Privacy Board. In order to grant a waiver (or modification) of the authorization requirement for research, an IRB or Privacy Board must be satisfied that the following criteria are met:

    • The use or disclosure of PHI involves no more than a minimal risk to individual privacy, as shown by:
      – an adequate plan to protect against improper use and disclosure;
      – an adequate plan to destroy identifiers as soon as the research purpose ends; and
      – adequate written assurances that the PHI will not be reused or disclosed to anyone else; and
    • The research could not practicably be done without the PHI. (Health Info Law, 5.28.14)

Statement from the CDC Regarding Use of PHI

(2003): “Public health practice often requires the acquisition, use, and exchange of PHI to perform public health activities (e.g., public health surveillance, program evaluation, terrorism preparedness, outbreak investigations, direct health services, and public health research). Such information enables public health authorities to implement mandated activities (e.g., identifying, monitoring, and responding to death, disease, and disability among populations) and accomplish public health objectives. Public health authorities have a long history of respecting the confidentiality of PHI, and the majority of states as well as the federal government have laws that govern the use of, and serve to protect, identifiable information collected by public health authorities… Public health authorities receiving information from covered entities as required or authorized by law [45 CFR 164.512(a)] [45 CFR 164.512(b)] are not business associates of the covered entities and therefore are not required to enter into business associate agreements. Public health authorities that are not covered entities also are not required to enter into business associate agreements with their public health partners and contractors. Also, after PHI is disclosed to a public health authority pursuant to the Privacy Rule, the public health authority (if it is not a covered entity) may maintain, use, and disclose the data consistent with the laws, regulations, and policies applicable to the public health authority.” See Box 4 for examples of ways the CDC receives and transmits PHI.


  • Health Information Technology Privacy Summary. “In poll after poll Americans, both doctors and patients, harbor worries that their personally identifiable medical data will not be protected. Medical records privacy is currently protected pursuant to the Health Insurance Portability and Accountability Act (hereafter HIPAA). Unfortunately the HIPAA regulations contain numerous exceptions which allow for widespread access, sale and use of medical records. Patients have almost no control over how information is used, to whom it is disclosed or even the ability to learn about these disclosures after the fact.” (American Civil Liberties Union, 2009)
  • Eleven Different Myths About HIPAA, Patients and Medical Records Privacy. “The Health Insurance Portability Accountability Act (HIPAA) was passed by the US Congress in 1996. It was originally intended to protect a patient’s access to insurance, ensuring that even if someone lost his job, he would be able to get insurance without regard to a pre-existing condition. Later, security policies were added to cover the electronic sharing of medical records. Today HIPAA is comprised of an unwieldy set of policies and laws that are confusing and too easily misunderstood by patients and health professionals alike.” (, 1.31.16)
  • The Truth About HIPAA. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) began as a ‘portability act’ to help individuals keep their health insurance coverage as they moved from one job to another.  HIPAA evolved to include much more than portability.  It is a complex set of rules that cover patient privacy and the use of information technology to transfer your medical records. Your right to control the use and disclosure of your personal health information was eliminated in 2003 by regulatory changes made to HIPAA. 
    • Effective April 14, 2003, patients were required to sign new ‘Privacy Forms’ that gave the illusion that their records were private. (See “The Elimination of Consent” chart for a more detailed explanation.) The changes mean that millions of strangers, as well as employers, can use your health records for reasons that have nothing to do with your treatment or improving your health care.  In an era of Electronic Health Records (EHRs) and Personal Health Records (PHRs), the problem could get worse as your personal health information is more easily accessible.
    • The ‘Privacy Rule’ Became the ‘Disclosure Rule.’ HIPAA produced absurd results because patients were no longer asked what medical information they wanted shared and what information they wanted to be kept private. Barriers were created that patients didn’t want, and access was granted to private corporations, individuals and government agencies that patients would never have agreed to.
    • Even more damaging, the amendments to the ‘Privacy Rule’ opened the nation’s sensitive health records to millions of providers, employers, government agencies, insurance companies, billing firms, transcription services, pharmacy benefit managers, pharmaceutical companies, data miners, creditors and more for any ‘routine’ use.
      • You will not receive any notice of ‘routine’ use and disclosure of your health information.
      • There are no audit trails of ‘routine’ uses and disclosures
      • Access to your health record is retroactive, regardless of whether you paid out-of-pocket or were guaranteed privacy at the time. This means your health records from birth to death are available to others.” (Patient Privacy Rights Foundation, 2016)
    • De-Identification and the Health Insurance Portability and Accountability Act (HIPAA).  “Under the current HIPAA privacy rule, protected health information can be distributed without restriction provided that the data have been appropriately de-identified, that is provided that identifying information such as names, addresses and phone numbers have been removed. Interest in de-identification extends far beyond health care... But there is a problem with de-identification. We know that there are de-identified datasets in which some of the records can be re-identified. That is they can be linked back to the original data subject. Sometimes this is because the records were not properly de-identified in the first place. Other times, it is because that information in the dataset is distinctive in some way that was not realized at first. This distinctiveness can be used to link the data back to the original identity.” (National Committee on Vital and Health Statistics, 5.24.16)

Affordable Care Act (ACA)

Data Collection

  • Affordable Care Act to Improve Data Collection, Reduce Health Disparities. “HHS announces new draft standards to improve the monitoring of health data by race, ethnicity, sex, primary language, and disability status, and begins planning for the collection of LGBT health data. Under Section 4302 of the Affordable Care Act, the Secretary is required to ensure that any federally conducted or supported health care or public health program, activity or survey collects and reports data, to the extent practicable, on race, ethnicity, sex, primary language and disability status, as well as other demographic data on health disparities as deemed appropriate by the Secretary.” More information on improving data collection to reduce health disparities is found in the “Disparities Fact Sheet.” (Fierce Healthcare, 6.29.11)
  • Improving Collection of Racial and Ethnic Data to Reduce Health Disparities. “The Affordable Care Act improved data collection primarily by requiring that all national population health surveys and programs collect data on race, ethnicity, sex, English Language proficiency, and disability status, but areas of concern remain.” (Families USA, December 2014)

National Patient-Centered Clinical Research Network (PCORnet)


Established through the Affordable Care Act, the Patient-Centered Outcomes Research Institute (PCORI) describes itself as a “an independent nonprofit, nongovernmental organization located in Washington, DC.” PCORI has invested more than $250 million to develop PCORnet: The National Patient-Centered Clinical Research Network.
“PCORnet is a large, highly representative, national network for conducting CER (Clinical Effectiveness Research). It fosters a range of observational and experimental CER by establishing a resource of clinical data gathered in a variety of healthcare settings, including hospitals, doctors’ offices and community clinics… Data are collected and stored in standardized, interoperable formats under rigorous security protocols, and data sharing across the network uses a variety of methods that ensure confidentiality by preventing patient identification.”

Second Phase (begun September, 2015)

  • PCORnet announced in September 2015 that it is now integrating data from 13 Clinical Data Research Networks (CDRNs) and 20 Patient-Powered Research Networks (PPRNs).
  • PCORI Adds $142M for Big Data Research. “The Patient-Centered Outcomes Research Institute Board of Governors has approved nearly $142.5 million to support the continuing development and expansion of PCORnet, the National Patient-Centered Clinical Research Network. PCORI is an independent, nonprofit authorized by Congress in 2010. Its mission is to fund patient-centered research. The new funds enable the addition of seven health data networks to PCORnet, which is designed to link researchers, patient communities, clinicians and health systems in research partnerships that leverage the power of large volumes of health data maintained by the partner networks…The funding will support a three-year second phase of development during which several research studies will begin. Specifically, it will back 34 individual health data networks that together make up PCORnet, including continued support for 27 networks selected to participate in PCORnet’s first phase of development, which began in April 2014.” (HealthIT News, 7.22.15)

Data Services Hub

The “Hub” serves as the single entry point for state exchanges through which they access information on ACA applicants from seven federal agencies. The purpose of the Hub is to determine eligibility and subsidy opportunities by confirming personal characteristics such as identity, citizenship, income, family size and incarceration status. The system also acts to identify applicants who may have to access other U.S. health programs.

  • Potential ObamaCare Privacy Nightmare. “By mid-December, the federal government is planning to quietly enact what could be the largest consolidation of personal data in the history of the republic. If you think identity theft is a problem now, wait until Uncle Sam serves up critical information on 300 million American citizens on a platter… This hub will achieve what has, until now, only appeared in pulp thrillers: a central database linking critical state and federal data on every U.S. citizen for real-time access. Congress should be concerned about the ability of government to keep the data hub secure. Data security is already dismal.” (USAToday, 12.6.12)
  • According to the DailyCaller (7.31.14), the Hub was still experiencing functionality issues long after its launch. “A GAO official stated that ‘CMS incurred significant cost increases, schedule slips, and delayed system functionality’ for both and the Obamacare data hub, a computer system which communicates personal information about applicants across federal and state agencies, ‘due primarily to changing requirements that were exacerbated by inconsistent oversight.’ The administration continuously changed requirements, delayed reviews, established ‘inconsistent’ oversight over contractors and inappropriately authorized contractors to spend money. Even when CMS knew contractors were not performing up to their standards, the agency failed to hold anyone accountable.” From September 2011 to February 2014, the cost of the hub “ballooned from $30 million to almost $85 million.”
  • For further information about the Hub, as well as security issues on the federal ACA enrollment site itself, see Problems Related to Data Security on ACA Exchanges.

Medicare Access and CHIP Reauthorization Act of 2015 (MACRA)

  • Proposed CMS Rule Encourages Analysis, Sharing of Medical-Claims Data. “Some medical data miners may soon be allowed to share and sell Medicare and private-sector medical-claims data, as well as analyses of that data, under proposed regulations the CMS issued Friday. Quality improvement organizations and other ‘qualified entities’ would be granted permission to perform data analytics work and share it with, or sell it to others, under an 86-page proposed rule that carries out a provision of the Medicare Access and CHIP Reauthorization Act of 2015 (MACRA). The analyses could be given or sold ‘to providers, employers, and other groups who can use the data to support improved care,’ according to a CMS news release. Qualified entities would also be allowed to provide or sell the actual claims data to providers, the CMS said… So far, 13 organizations have applied for and received approval to become a qualified entity under the act’s provisions…The MACRA provision would allow organizations like the Wisconsin Health Information Organization to accept Medicare data and then publicly report the performance of physicians both on cost and quality. The information exchange, one of the original 13 qualified entities, is the all-payer claims database for the state.” (Modern Healthcare, 1.29.16)
  • CMS Medicare Proposing More Data Selling of Both Private and Medicare Patient Claim Data – A New Dignity And Privacy Attack on Both Consumers and Doctors. “Some medical data miners may soon be allowed to share and sell Medicare and private-sector medical-claims data, as well as analyses of that data, under proposed regulations the CMS issued Friday. Quality improvement organizations and other ‘qualified entities’ would be granted permission to perform data analytics work and share it with, or sell it to others, under an 86-page proposed rule that carries out a provision of the Medicare Access and CHIP Reauthorization Act of 2015 (MACRA). Dr. John Toussaint, CEO of the ThedaCare Center for Healthcare Value in Appleton, Wis., said the MACRA provision would allow organizations like the Wisconsin Health Information Organization to accept Medicare data and then publicly report the performance of physicians both on cost and quality. The information exchange, one of the original 13 qualified entities, is the all-payer claims database for the state.” Duck, Barbara. (Medical Quack, 1.30.16)
  • Medicare Program: Expanding Uses of Medicare Data by Qualified Entities. “On April 16, 2015, the Medicare Access and CHIP Reauthorization Act of 2015 (MACRA) (Pub. L. 114-10) was enacted. The law included a provision, Section 105, Expanding the Availability of Medicare Data, which takes effect on July 1, 2016. This section expands how qualified entities will be allowed to use and disclose data under the qualified entity program, including data subject to section 1874(e) of the Social Security Act (the Act), to the extent consistent with other applicable laws, including information, privacy, security and disclosure laws. Those wishing to become qualified entities are required to apply to the program. Currently, thirteen organizations have applied and received approval to be a qualified entity. Of these organizations, two have completed public reporting while the other eleven are in various stages of preparing for public reporting. While we have been pleased with the participation in the program so far, we expect that the changes required by MACRA will increase interest in the program.” (Department of Health and Human Services, 2.2.16)
  • More on MACRA, Interoperability and the Post-Meaningful Use World. Comments from acting CMS administrator Andy Slavitt during an early March 2016 panel appearance at an HIMSS conference: “Three themes have emerged that have shaped the agenda you are hearing from Secretary Burwell, Karen and me. First is that physicians are hampered and frustrated by the lack of interoperability. Second, regulations in their current form slow them down, create documentation burden and often distract them from patient care. And third, they find their EHR technology hard to use and cumbersome. It slows them down, doesn’t speed their path to answers.” (The Healthcare Blog, 3.4.16)
  • Also see Medicare Access and CHIP Reauthorization Act of 2015 (MACRA)

Data De-Identification Relies on HIPAA Standards

  • “Under section 105 of MACRA, effective July 1, 2016, qualified entities will be allowed to use the combined data and information derived from the evaluations described in 1874(e)(4)(D) of the Act to conduct non-public analyses and provide or sell these analyses to authorized users for non-public use in accordance with the program requirements and other applicable laws… The framework for de-identification that is laid out in the HIPAA Privacy Rule represents a widely accepted industry standard for de-identification, so we think its concepts are appropriate for adoption into this program. Additional information on the HIPAA de-identification standards can be found on the HHS Office for Civil Rights website. We seek comment on this proposal and whether another set of de-identification standards would be more appropriate to ensure that non-public analyses do not contain information that individually identifies a beneficiary, except as provided for above where the individual is a patient of the provider or supplier who is receiving the analyses, and how qualified entities that are HIPAA-covered entities could comply with such alternate qualified entity program standards while still meeting any applicable HIPAA obligations.” (Department of Health and Human Services, 2.2.16)

International Classification of Diseases-10 (ICD-10)


The Department of Health and Human Services (HHS) originally mandated the International Classification of Diseases-10 (ICD-10) Clinical Modification (CM) and Procedure Coding System (PCS) code sets to be implemented by October 1, 2013, later postponing compliance to October 1, 2015. The new codes replaced the International Classification of Diseases, Ninth Revision, Clinical Modification (ICD-9-CM) Volumes 1 and 2, and the International Classification of Diseases, Ninth Revision, Clinical Modification (CM) Volume 3 for diagnosis and procedure coding.
ICD-9’s 14,000 ICD-9-CM codes and 4,000 ICD-9-PCS codes were expanded to 68,000 ICD-10-CM codes and 87,000 ICD-10-PCS codes. The more granular data collection is to be used to support quality reporting, pay-for-performance, bio-surveillance, and other activities. ICD-10 codes allow comparison of mortality and morbidity data, increase collection of data for measuring care furnished to patients, and assist in the design of payment systems.

Changes from ICD-9

ICD-10-CM consists of 3-7-digit alphanumeric codes, as opposed to 3-5-digit numeric ICD-9 codes. Additional characteristics that differentiate ICD-10 from ICD-9 include:

  • Laterality (code structure denotes right vs. left appendage or side of body)
  • Chapters, categories, and titles have been restructured (e.g., ICD-9-CM V-codes and E-codes are classified into the main classification rather than as the present supplementary classifications)
  • Conditions have been regrouped and new features added (e.g., injuries are grouped by anatomic site instead of by injury type)
  • Combination diagnosis and associated symptom codes have been created (e.g., poisoning and its external cause codes are combined)
  • Location in which injury sustained, including workplace, rooms within the patient’s home, and other sites.


Accountable Health Communities Model

This CMS pilot program is designed to test the benefits of sharing Medicare and Medicaid patient data to agencies and services in patients’ communities. According to CMS, applicants for the pilot program “must be able to demonstrate the ability to engage and establish a consortium with the state Medicaid agency(ies) that serve their geographic regions” and “ensure data-sharing, including but not limited to Medicaid claims data and utilization and payment data, with CMS and its contractors.”

  • First-ever CMS Innovation Center Pilot Project to Test Improving Patients’ Health by Addressing their Social Needs. “Today’s announcement is part of the Administration’s broader strategy to improve the health care system by paying providers for what works, unlocking health care data, and finding new ways to coordinate and integrate care to improve quality.” (Health and Human Services, 1.5.16)
  • CMS Grants to Address Social Needs of Beneficiaries. “The Centers for Medicare & Medicaid Services (CMS) is launching the Accountable Health Communities Model, a 5-year pilot program to assess whether helping Medicare and Medicaid beneficiaries find assistance for social needs will improve their health and reduce health care costs for the 2 federal programs. The CMS will award up to $157 million to a maximum of 44 bridge organizations, so called for closing the gap between health care and social needs, that are developing programs to screen beneficiaries for issues such as housing instability, hunger, transportation difficulties, and interpersonal violence; to connect beneficiaries with community services that can help them resolve those issues; and to foster collaboration between health care organizations and community social service programs.” (JAMA, 2.23.16)
  • According to CMS (11.3.16), each of the tracks requires the award recipient to serve as a hub responsible for coordinating efforts to:
    • Identify and partner with clinical delivery sites (CDS) (e.g., clinics, hospitals);
    • Conduct systematic health-related social needs screenings and make referrals for all eligible Medicare and Medicaid beneficiaries;
    • Coordinate and connect community-dwelling beneficiaries who screen positive for certain unmet health-related social needs and who are randomized to the intervention group to community service providers that might be able to address those needs; and
    • Align model partners to optimize community capacity to address health-related social needs.