Tag: HIPAA

Health IT Thought Leadership Highlight: Alexander Blau, MD, Medical Director, Doximity

 

Alex Blau
Alex Blau

Doximity is the largest medical network with one in three U.S. physicians as members. Physicians use Doximity to instantly connect with other healthcare professionals, securely collaborate on patient treatment, grow their practices and discover new career opportunities.

Its vision is a future where medical communication is effortless — fast, simple, seamless and secure. Its mission is to “help physicians transcend the fragmented U.S. healthcare system and succeed in the care for their patients.”

Doximity was founded by Jeff Tangney, co-founder and former COO of Epocrates (EPOC), and launched in March 2011. Based in Silicon Valley, it’s backed by Emergence Capital Partners, InterWest Ventures, Morgenthaler Ventures (now Canvas Fund), Draper Fisher Jurvetson, T. Rowe Price and Morgan Stanley Investment Management.

Here, Alexander Blau, MD, vice president of physician marketing and medical director for Doximity — responsible for marketing and user acquisition teams oversees the development of clinical programs, including a socially curated medical literature filter and case-based discussion forums, manages the aggregation, analysis and product integration of diverse healthcare data in charting the first-ever nationwide clinical expertise map — discusses the company, its future and what he’s seeing from his perch.

Give us the short story on what you do and how you came to health IT?

My background is as an emergency physician. During my training, I was drawn to the latest in mobile health technology and eventually built my own app for medical interpretation. From that moment, I knew I was hooked on health tech. Three years ago, I joined Doximity to join a larger team to develop yet more tools that help doctors practice medicine every day.

Tell me about Doxmity. There’s been some press lately about how it’s really innovating the space. What are you doing that makes for such success? Care to share the secret sauce?

Doximity is the first health tech company really built for physicians — as opposed to hospital administrators, billing departments, etc. In just three years, we’ve grown to be the largest network of verified physicians in the US, thanks to our focus on what doctors truly need from technology. Our focus on doctors is the secret sauce.

What are some of the misconceptions you face? Obstacles you must overcome?

There’s a misconception that physicians aren’t technology savvy, which is absolutely not true. Doctors have been among the earliest adopters of all kinds of communication technologies starting with pagers and the first smart phones. When it comes to social media, doctors are necessarily skeptical about privacy and HIPAA compliance. The great thing is that Doximity is specifically built to address physician privacy requirements and enable them to communicate professionally on the mobile devices they rely on.

Continue Reading

Impact of the ICD-10 Delay on the Property and Casualty Sector

Michele Hibbert-Iacobacci
Michele Hibbert-Iacobacci

Guest post by Michele Hibbert-Iacobacci, CMCO, CCS-P, vice president, information management and client services, Mitchell International.

The International Classification of Diseases – 10th Revision, Clinical Modification and Procedural Coding System’s (ICD-10-CM/PCS) implementation in the United States is being delayed yet again. According to the latest polls and surveys, there are many organizations (most who need to use it) that were ready to roll with the new classification on October 1st 2014. The change came about because the Senate approved a bill (H.R. 4302) on March 31, 2014, that delays the implementation of ICD-10-CM/PCS by at least one year and then a subsequent official announcement by CMS announced a forthcoming interim final rule that would set the new compliance date for October 1, 2015.

How will this new implementation date affect Property and Casualty payers and providers? For an industry that was not required to change, P&C was ready to go – mainly because of the dependency on payments and bill processing. The question was, “Will we see ICD-9 and/or ICD-10?”

Fortunately, from a processing perspective the P&C industry was prepared for most anything. Payers were creating processing systems and/or contracting with vendors who considered all possibilities including bills submitted with both codes and the submission of ICD-9 codes well after effective dates. These payers also considered the compliance environment as most are guided at the state level.

As difficult as it may be to be ready for the effective date of ICD-10 just to have it changed, most aspects are positive for property and casualty.  Additional time for testing, communication to providers and overall education (external/internal) enhances the readiness for the new date. The negative is the cost – staff has been added and enhanced with testers, educators and coders for the initial date. Maintaining staffing levels for a longer period of time was not accounted for in most budgets. The cost will be higher to implement now and many companies did not plan on the additional timeline.

So how will this shake out moving forward? Providers will likely react by submitting ICD-10 codes to P&C payers before the implementation date of October 1, 2015.  Payers will need to make decisions on how they will handle these claims since P&C is not guided by the same rules under HIPAA as the health side. Some payers may decide to turn these claims back to providers and others will translate to ICD-9 for payment. Compliance standards, whereby a state has implemented mandates on the use of code sets that need to be addressed and/or revisited, may also impact the way payers process ICD-10 codes prior to October 1, 2015.

Utilizing Cloud-Based Technologies in a Compliant Industry: Healthcare

Travis Good
Travis Good

Guest post by Travis Good, M.D., CEO and co-founder of Catalyze, Inc.

Even if a bit delayed, the power and value of cloud-based technologies is starting to seep into healthcare. With each new cloud-based technology piloted or taken to scale by a healthcare organization, other institutions and corporations become more willing to roll the dice on deploying cloud-based technology. While still slow, it is happening, but not where you may think. Instead of found in the typical core applications of EHR or practice management systems, we find cloud-based technologies being introduced into the innovative health technology areas of virtual care delivery and patient self-reporting. Those areas are breaking down the barriers to cloud adoption in healthcare and that pace is increasing.

Cloud-based technology acceptance, along with everything else in the healthcare industry is moving faster than ever before. Accountable care, bundled payments, patient satisfaction, continuous care and the consumerization of healthcare are catalyzing changes to a very large, slow moving, highly regulated and risk averse industry. Technology and technology enabled services are essential for riding out these waves of change.

Every healthcare segment has seen these paradigm shifts and is trying to carve out a piece of the new pie. Large medical centers and health systems want to commercialize tools created in-house. Payers are building technology geared toward new forms of care delivery and price transparency, while biopharma is building technology to deliver continuous care powered by data from its core products – devices and medicines. All three of these healthcare segments can build technologies that utilize cloud computing and thus reap the following benefits:

Compliance and Cloud Computing

With recent changes to HIPAA that went into affect as part of the HITECH and HIPAA Omnibus Rule in 2013, a surge in compliance interest has developed, especially with compliance as it relates to cloud computing. The HIPAA Omnibus Rule created a new segment within the string of compliance leading back to covered entities. The new “subcontractor” segment is something of which every healthcare compliance officer must be aware. In much the same way as a business associate processes, transmits or stores ePHI for a “covered entity,” a subcontractor will also process, transmit, or store ePHI for “business associates.” And, subcontractors, like business associates, are required to sign business associate agreements (BAAs). These agreements outline the obligations of each party in meeting different aspects of HIPAA compliance rules, and delegate the risk based on different types of possible ePHI breaches.

In creating this new “subcontractor” entity, the Omnibus Rule accounted for the paradigm shift in technology development and cloud computing. The most commonly used example of a subcontractor is found in a cloud hosting provider like Amazon (AWS) or Rackspace; yet, many other types of services exist that could be considered subcontractors.

As data and services are being accessed via Web services (typically APIs), a huge number of BLANK-as-a-Service offerings have emerged. Many modern applications utilize third-party APIs for features and functionality to speed time-to-market, while adding value to users. Using simple to consume APIs, modern applications can tap into databases, messaging (SMS, Push, email or voice), usage metrics, logging, customer support, data sources, backup and so forth.

Continue Reading

Acceptable Use Policies: Security Hygiene Starts with a Healthy Dose of Training

Lysa M.
Lysa Myers

Guest post by Lysa Myers, security researcher, ESET

In my last post, I discussed the steps to performing a healthcare IT risk assessment. Once you’ve determined the risks within your environment, an important part of addressing those risks is to set up policies about acceptable use – formally known as Acceptable Use Policies (AUP) – for your staff members and then to train your staff accordingly.

The weakest link in most security chains is the human element, namely people thwarting protections put in place, intentionally or by mistake, or simply through lack of understanding. But how do you set up policies and train people if neither you nor the people on your staff are particularly security-savvy?

Trainings and Templates

If you’re starting at or near ground zero when it comes to information security knowledge, the first question to ask is: Would be better to train someone to become your security guru, or to simply improve overall knowledge within the organization and establish common-sense usage policies?

Unless you have someone in your organization who is dedicated to IT tasks, it may be difficult to mandate security training, but it’s wise to have a security-conscious person handling your infrastructure. At a minimum, when you train the rest of your staff on their security roles and responsibilities, your IT personnel should go through at least as much training: they will likely be in charge of setting up the protections that are to be used by the rest of the organization.

If you have a smaller healthcare organization, you can still create an AUP, without a security guru. In fact, having a less complex organization simplifies the definition process. In this case, something which is focused on healthcare and yet very simple, where you can “fill in the blanks” could be quite helpful: HealthIT.gov provides a template that could work well for smaller organizations.

Continue Reading

Technical Challenges Along the Way to HIE Sustainability

Egor Kobelev
Egor Kobelev

Guest post by Egor Kobelev, software delivery manager — healthcare, DataArt.

There are a lot of organizational and technical challenges health information exchanges (HIEs) struggle with while trying to deploy and maintain their platforms. One of the most complex organizational and administrative challenges is to achieve sustainability. While that is often an ultimate goal for HIEs, there is a huge amount of smaller technical challenges to meet, and the way those challenges are responded to often makes a difference for future HIE sustainability.

One of those typical tasks in the industry is a patient look up and mapping. There is a well-known issue when it comes to any sort of health data integration – the lack of a global unique patient identifier. Thousands of existing healthcare providers and payers use their own internal identifiers and there is no easy way to establish a relation between these. Social Security Numbers or similar national identifiers, while useful in some of scenarios, are not suitable for the purposes of healthcare record identification, primarily because of the risks of HIPAA rules violation.

The good part of the story is the amount of talks regarding a National Patient Identifier (NPI). For instance, HIMSS is proactively driving the initiative of introducing NPI, so that eventually patient mapping, which is currently a challenge, will be routine. However, the reality is that we are pretty far away from having NPI legislated and deployed in healthcare organizations nation-wide. At the same time, as many as 8 percent to 14 percent of patient records have errors caused by mismatching patient identifiers, which in turn causes hundreds of millions of dollars in spending to repair and reconcile the records. So, while we are waiting for NPI to come, what would be a solution which is HIPAA compliant, provides high accuracy, throughput, and minimizes manual interventions at the same time?

Continue Reading

Innovation in Healthcare Requires New Technology Coupled with Strong Cultural Leadership

Steve Jourdan
Steve Jourdan

Guest post by Steve Jourdan, founder and CEO, BedWatch.

It’s a broken record – we need innovation in healthcare. Being the largest economy in the world by a significant margin, with a number of resources at our disposal, one would think that our ability to deliver healthcare services would also rank at or near the top. In fact, we don’t rank well at all. A Bloomberg ranking from last year finds the U.S. healthcare market ranked 46th in the world in terms of efficiency, with the second highest healthcare costs per capita reported[1].

But, innovation equals risk, and risk is a four letter word in healthcare, for good reason. Margins are thin, enforcement and compliance efforts related to HIPAA are increasing, and, ultimately patient care hangs in the balance at a time when reimbursement models are shifting from fee-for-service to being outcome-based. It makes perfect sense that healthcare organizations take a conservative approach to their business.

However, continuing to do the same thing will not move us forward. Private industry and even the federal government[2] are taking advantage of these advancements. Technology is here, but it needs to be embraced; current technologies need to be adopted by healthcare for the benefit of everyone.

If I can perform secure online banking and investing directly from my smart phone, provided by the highly-regulated financial industry, why do I have to wait to receive healthcare services because health workers are using the technological equivalent of a Big Chief Pad and no. 2 pencil?

There is great promise in current mobile and cloud computing technologies, in that they are more accessible, easier to use, more secure, more scalable and can enable people to be more effective. The technology advancements we need are already here.

That said, use of current technology is only half of the solution. The other half is the people side of the equation. A culture of improvement must be embraced by the organization from the top down in order for significant improvements to be realized.

Continue Reading

Keeping An Eye On Redaction and Data Automation: Why It’s Important to Small Practices

David Rasmussen
David Rasmussen

Guest post by David Rasmussen, president, Extract Systems.

There’s little argument that overwhelming responsibility is placed on practice leaders to protect the security of patient records. Maintaining the accuracy, privacy and control of this data is one of the most crucial roles within the care setting. Given the high level of risk for exposure of this information and because of expanded enforcement of HIPAA, practices managing the release of information (ROI) must be more vigilant now than they have been in the past. Their processes for handling ROI need to meet not only the requirements of the law, but what’s in the best interest of the practices’ patients.

Along with a significant rise in HIPAA enforcement, practices must remain sensitive of how they handle the data that’s released to third parties. Redaction of personal information from records is one important way practice administrators can improve security, though it’s not the only way. Automating the removal of PHI by integrating redaction solutions with existing practice technology –  such as electronic health records – searching and removing any protected information becomes electronic, eliminating a manual, repetitive process.

Removing risks associated with the release of PHI is possible with automated solutions that can remove data fields like patient name, dates of service, medication lists and other general information in the health record. But, even though solutions exist to automate the redaction of protected PHI, most organizations process records manually even as they migrate to electronic systems in other areas. Continue Reading

Data Breach Results in $4.8 Million HIPAA Settlements

Two healthcare organizations have agreed to settle charges that they potentially violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules by failing to secure thousands of patients’ electronic protected health information (ePHI) held on their network. The monetary payments of $4,800,000 include the largest HIPAA settlement to date.

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) initiated its investigation of New York and Presbyterian Hospital (NYP) and Columbia University (CU) following their submission of a joint breach report, dated Sept. 27, 2010, regarding the disclosure of the ePHI of 6,800 individuals, including patient status, vital signs, medications, and laboratory results.

NYP and CU are separate covered entities that participate in a joint arrangement in which CU faculty members serve as attending physicians at NYP. The entities generally refer to their affiliation as “New York Presbyterian Hospital/Columbia University Medical Center.”  NYP and CU operate a shared data network and a shared network firewall that is administered by employees of both entities. The shared network links to NYP patient information systems containing ePHI.

The investigation revealed that the breach was caused when a physician employed by CU who developed applications for both NYP and CU attempted to deactivate a personally owned computer server on the network containing NYP patient ePHI. Because of a lack of technical safeguards, deactivation of the server resulted in ePHI being accessible on internet search engines. The entities learned of the breach after receiving a complaint by an individual who found the ePHI of the individual’s deceased partner, a former patient of NYP, on the Internet.

Continue Reading

Securing Patient Data in a Changing Technology Landscape

Guest post by Michael Howard, worldwide security practice lead, managed services, printing and personal systems group, HP.

Michael Howard
Michael Howard

As the information technology landscape continues to rapidly evolve, healthcare providers increasingly find themselves faced with new challenges on how to best serve their patients and protect their privacy. The Health Insurance Portability and Accountability Act (HIPAA), which introduced privacy and security regulations in 1996 for providers that use electronic transmission of data, made securing patient data a prominent issue.

If you are skeptical about potential costs associated with implementing a new security strategy in your office, consider this startling fact: According to the Ponemon Institute, the average cost per incident of corporate information theft is $5.5 million1. That number alone should be reason enough for providers to consider upgrading their security protocols. While computers and servers are often the first pieces of technology to be secured within the IT infrastructure, paper documents and printers are often overlooked. With the extensive amount of security offerings available, IT managers can have greater confidence that patient records remain safe. Below are the top three ways that healthcare providers can better secure their print infrastructure:

Store medical records in the cloud

Recent data from the U.S. Department of Health and Human Services indicates that paper still accounts for a large percentage of HIPAA breaches. Between Jan. 1, 2011 through April 15, 2014, 500 patient data breaches have been reported with 203 related to paper (more than 40 percent)2. One easy way to reduce the likelihood of a paper breach – and to save time spent shuttling from one file cabinet to another – is to transfer your hard copy medical records to an electronic health record (EHR) format and store them in the cloud. Securing the paper to digital data process can be a less painful process by implementing a software solution that makes it easy for users to scan documents, convert them to electronic files and then distribute them to predetermined destinations. Not only will you simplify the data storage and retrieval process, but you will also save office space by reducing the need for file cabinets and limit excess paper.

As many healthcare providers are in the process of transitioning from paper to EHRs, it is important to be well informed on what happens to your data once it enters the cloud. Most cloud-based solutions offer bank-grade encryption for data transfer, in addition to highly protected data centers. By saving your EHRs to the cloud, you will be able to update patient records in real-time and reference past prescriptions and treatment plans while in the room with your patient. This promotes more personalized and convenient care and helps reduce duplications and inaccuracies.

Continue Reading

Survey: Top Concerns for Healthcare IT include Data Growth, Bring-Your-Own-Cloud

Jay Savaiano

Guest post by Jay Savaiano, director, worldwide healthcare business development, CommVault.

Healthcare professionals are inundated with an abundant amount of ways that they can access and store clinical data. Healthcare IT departments are given the task of making sure the delivery of that clinical data is readily available and can be accessed via a myriad of devices, as well as in a secure manner that meets the compliance standards that the entire enterprise has agreed on upholding. The deluge of data and the ever-changing ways that the data is accessed is creating some major challenges and concerns for the majority of professionals who are responsible for managing the nation’s healthcare information stream.

In a recent nationwide survey of healthcare IT managers in enterprise organizations, 75 percent of respondents – up 14 percent from last year – indicated they were concerned about the protected health information (PHI) residing in Bring-Your-Own-Cloud (BYOC) solutions, such as Box or Dropbox. A large number of BYOC solutions even offer the first 2GB of storage for free, which may speak to their popularity.

Savaiano survey pictureToday, smart phones, tablets and computers that have helped proliferate the popularity of “Bring-Your-Own-Device” programs all come out of the box with some sort of free cloud-based storage solution. Though Intel and ReadWrite report that 49 percent of U.S. IT managers “Strongly Agree that BYOD Improves Worker Productivity,” when you couple BYOC with BYOD together and add protected health information to the mix, healthcare organizations can be opening themselves up to a tremendous amount of liability.

With the policies inherent in clinical applications themselves, it is easy to maintain the security of the content, which is often structured and rarely stored locally. However, the challenge revolves around the unstructured data with PHI. For example, if a clinician maintains a spreadsheet of basic patient data and he or she places that spreadsheet in a BYOC-type solution, both the clinician and the healthcare organization are putting themselves in a liable position. Only when cloud-based solutions are authorized by the healthcare facility and meet the organization’s compliance criteria – which can and usually dictates the cloud provider is willing to sign a business associate agreement in support of HIPAA – are the organization and clinician able to limit the potential liability impact. There can still be other factors that create new liability, but by making the limitation of rogue cloud storage a priority, healthcare organizations can better protect themselves against a potential data breach and subsequent lawsuit.

Continue Reading