Guest post by James Hofert, Roy Bossen, Linnea Schramm and Michael Dowell, all partners with Hinshaw & Culbertson.
New federal healthcare legislation and implementing regulations, seek to exert control over multiple aspects of patient care. The Health Information Technology for Economic and Clinical Health Act (“HITECH”)[i] with staged implementation through 2016, seeks to not only promote implementation of electronic health record systems (“EHR”), but also regulate electronic communications of health information by and between the patient, physician, hospitals and other healthcare institutions so as to enhance care quality, care coordination and reduce costs.
HITECH further envisions implementation of clinical decision support algorithms for the diagnosis and treatment of disease both during admission and after discharge. The Hospital Readmission Reduction Program[ii], effective October 1, 2012, consistent with the objectives of HITECH seeks to financially penalize hospitals for higher than standardized readmission rates for heart failure, acute MI and pneumonia. The Center of Medicine and Medicaid Service (“CMS”) intends to expand application of the program to readmission for COPD, elective total hip arthroplasty and elective total knee arthroplasty in 2015[iii]. Consistent with preventative care goals so as to mitigate further health care problems as found in HITECH, CMS has refused to adjust the re-admission penalty program to account for readmissions unrelated to the patient’s initial hospitalization even though the readmission could be considered to be outside the hospital’s or physician’s control[iv].
The use of Server Hosted Virtual Desktops (SHVD) is up 39 percent and the use of Server Based Computing (SBC) is up 23 percent from last year’s survey.
The study also indicates that a mixed use of both SBC and SHVD is becoming more commonplace, with 49 percent of respondents indicating that they are using both technologies today (compared with 23 percent from the 2012 survey).
In addition to desktop virtualization, the Imprivata survey also asked healthcare organizations about current and planned adoption of cloud computing. The results indicate that the adoption of cloud-based applications and services is increasing more rapidly than expected, with 30 percent of survey respondents stating that they use cloud computing today (up from nine percent from the 2012 survey).
Guest post by James D. Brown, CTO, StillSecure and Andrew Hicks, Director, Healthcare Practice Lead, Coalfire
In January, the U.S. Department of Health and Human Services (HHS) announced updates to the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security rules. These new rules will took effect on March 26 and business associates have until September 23, 2013, to reach compliance. Under HIPAA, a business associate is defined as a person or entity that performs certain functions or activities that involve the use or disclosure of electronic protected health information (ePHI) on behalf of, or provides services to, a covered entity. So what exactly do these new rules mean for our partners and clients?
First, it is important to note that the new rules are really just formalizing and strengthening many of the changes that were announced in the 2009 Health Information Technology for Economic and Clinical Health Act (HITECH Act), which clearly defines when HHS needs to be notified of a breach, as well as increases the penalties applied around non-compliance.
James D. Brown
Also, the biggest change that should be noted is that the regulations between business associates and subcontractors (for example a health information organization and its cloud service provider), are now assumed to be held to a business associate agreement (BAA). In the past, subcontractors could choose to opt out of signing any agreement, which essentially limited liability should HHS come knocking. Under new regulations, it is clear that any healthcare provider that comes in contact with actual ePHI must sign a formal business associate agreement, making each and every subcontractor liable during a breach.
Stated differently, this means that anyone who deals with ePHI should carefully read the new rules and understand how they will be directly liable for compliance. We will start to see a shake out in the business associate companies – healthcare facilities should closely examine whether a business associate agreement is signed just to win business, or is signed by a company that actually will be accountable for HIPAA requirements and take them seriously throughout the course of the relationship.
It is also important to note that under the new regulations, it is crystal clear that business associates are directly liable for compliance and can be fined, along with the actual health care provider as a covered entity.
Here are the top five issues that organizations need to be aware of:
1. Not knowing that they need to be compliant. Many people do not realize that shredding companies and office cleaning crews that may see patient data without realizing it are now liable. Anyone that has access to ePHI, regardless of their position and how far removed they are from the covered entity, is in full scope now.
2. Lack of solid inventory of where data lives. Data is constantly being transmitted back and forth via applications, web servers and file servers. However, many organizations lack a comprehensive inventory of where all of this data lives. This makes it difficult to accurately assess the risk of data storage. Participants must be able to control physical access to patient information and proactively protect against inappropriate access to the data at every exchange point. This is impossible to achieve without a solid inventory.
3. Risk analysis and data classification. Under HIPAA, there is a clear requirement that companies need to complete a thorough risk assessment of the storage, processing and transition of ePHI data. This risk to data needs to be clearly defined and any controls that are in place need to be outlined.
4. Controlling the flow of ePHI data via mobile devices. While there is not a requirement within HIPAA that addresses mobile devices, iPads, iPhones, and Androids frequently hold ePHI data. Organizations need to implement corporate BYOD policies and have controls in place including passwords and remote capabilities to protect this data.
5. Encryption. There seems to be a lot of confusion around encryption as many people translate this addressable specification as being optional. Some organizations see “encryption” and after evaluating what it entails, decide that it costs too much money or translates as optional. If there is a security breach, HHS officials will first ask if the data was encrypted. If the answer is no, the investigation can easily lead to fines, penalties and negative publicity. We recommend that our partners and clients conduct a thorough risk assessment to document all controls that are in place surrounding data that may be at risk. This documentation serves as a road map for developing action items based on priority or level of risk. When a breach occurs, organizations need to demonstrate their due diligence to show that all risks were acknowledged. We cannot stress enough how thorough this documentation should be. We have seen documentation ranging from 20 to 100+ pages; anything less than that will be insufficient.
We continue to see these issues every day. The bottom line is that organizations should thoroughly read through the new rules and engage with third-party vendors to make sure that they are covered and can avoid paying penalties. Those interested in exploring a third-party solution should ensure that their prospective vendor provides a suite of proven network security and compliance technologies, compliance data center policies and procedures, and round-the-clock analyst coverage to monitor and manage networks.
James D. Brown is responsible for overall product and services strategies, and architecture and implementation of StillSecure’s product suite. James has tremendous experience in both public and private cloud security and helped create the industry’s first comprehensive Cloud Security Services Platform that supports physical, virtual and multi-tenant environments. Brown has more than 20 years of experience in the network security, IT, telecommunications, and human resources industries.
Andrew Hicks, director, healthcare practice lead, Coalfire, has over 10 years of experience in IT governance including responsibilities specific to the IT security, risk management, audit, business continuity, disaster recovery and regulatory compliance spaces. His experience and understanding of business processes and technology has allowed him to excel in the areas of policy development, internal control design and testing, project management, system development reviews, and risk mitigation.
As 2013 gets underway, we are in the midst of a health information revolution. As many healthcare providers continue to struggle to implement electronic health record systems and meet meaningful use requirements, the promises of this revolution may seem distant, even non-existent. Indeed, many providers rightly complain that implementing EHR systems has only brought increased expense and declining productivity as they adjust to the new systems. The promises of interoperability, better outcomes, reduced medical errors and lower costs in many cases have not yet been realized.
For others, the promised benefits of electronic health information may be closer at hand. For example, The Wall Street Journal recently reported that two big names in healthcare – UnitedHealth Group, Inc. and Mayo Clinic – will form a new research company to mine de-identified health data from millions of health claims and medical records to identify best practices. This seemingly reflects a realization of one of the touted benefits of electronic health information – to change the way healthcare is provided and to reduce costs by analyzing health outcomes information.
Notwithstanding the electronic growing pains within certain quarters of the provider community, digital health is flourishing and driving the health information revolution. While the provider and payor communities were formerly the sole source of health information, consumer demand for digital health and control over health information is moving the center of the health information universe more toward individuals (the new paradigm) and away from providers and payors (the old paradigm). Both patients and providers report increased use of the Internet to diagnose medical conditions. Digital health services provided via the Internet, smart phones, cable, Bluetooth-enabled devices and other wireless technologies are putting health information at consumers’ fingertips and unlocking it from the confines of providers and payors.
Consumers want their devices to do more, and make health information and services available to them as easily as they may use their phones to search for a restaurant. Smart phone chip manufacturer Qualcomm has established a $10 million prize to develop a mobile medical computing device, inspired by the tricorder device from “Star Trek.” Smart phones and many medical devices now include multiple sensors that can be employed for a variety of health-related purposes and health-related sensors are increasingly being incorporated into clothing and home monitoring equipment. These activities are generating massive amounts of digital health information, facilitated by declining costs of data storage available through the cloud and other low-cost digital storage media.
While providers may no longer be relied upon as the sole source of medical information, they will continue to be relied upon for their medical judgment. Because of the exponentially increasing availability of health information, including genomics information, which is relevant to clinical decision-making, providers will have a significantly higher burden to digest and analyze this available information and manipulate it in the clinical setting. Look for increased use of and demand for data analytics tools in the clinical setting.
In the meantime, our regulatory regime for data privacy and security, including HIPAA and HITECH, is based on the old paradigm and severely inhibits the health information revolution. Ironically, HIPAA, which was intended to address privacy and security in a digital age, stands as a major impediment to digital health. It does so, in part, because it assumes that health information rightly resides with providers and payors (HIPAA-covered entities), rather than with their business associates (including many digital health companies) or consumers. Indeed, with limited exceptions, HIPAA requires that any business associate of a HIPAA-covered entity either return to the covered entity or destroy patient information where feasible when the relationship between the business associate and the covered entity ends.
That requirement effectively constrains information from easily following the consumer, a major objective and promise of the health information revolution. For example, HIPAA makes it difficult for a wellness company to continue to serve an individual if that individual changes health plans or the wellness company stops doing business with the individual’s health plan. In 2013, look for increased pressure to reform HIPAA to allow information to be more readily accessed by consumers and digital health companies. The more than 500 pages of new HIPAA Omnibus regulations that were issued on January 17, 2013, do not change this underlying assumption or effectively address the new paradigm of a patient-centered health information universe.
At the same time, increased use of mobile media by healthcare providers continues to challenge those who are responsible for protecting that health information. Theft or loss of mobile media, including smart phones, laptops, tablets and flash drives, continue to be among the largest source of data breaches, prompting the federal government recently to issue specific guidance on how to use such devices in compliance with HIPAA. (See,
This guidance recommends limiting offsite use of mobile media that may contain health information. While this position is understandable, it reflects the old paradigm view that information remains within the control of the providers and payors and ideally not leave the controlled environment of their facilities. Healthcare facilities and other companies that use mobile media containing patient information will continue to face challenges with implementing use of such devices, given the current regulatory regime.
Drew Gantt leads Cooley LLP’s Health Care and Life Sciences Regulatory Practice. Gantt is a partner in Cooley LLP’s Business Department and a member of Cooley’s Life Sciences Practice Group. His practice focuses on healthcare and life sciences regulatory counseling, complex transactions and strategic business advice.
The meaningful use of data collected in an electronic health record continues to be the stump speech of Farzad Mostashari, National Coordinator for Health Information Technology.
He’s been pushing the message for months: those achieving or working toward meaningful use attestation need to get beyond just the financial incentives of the program, he says.
Physicians and their healthcare systems need to dig deeper and realize the importance of the data that they have at their hands. They need to realize just how to leverage the data to improve their patient’s health outcomes and lead those in their care down an educational path about the importance of their involvement in their care and how electronic systems can help improve their interaction with their care providers.
For meaningful use to work, those in the community need to make sure they’re using the data collected meaningfully. Meaningful use is a tool and it should be used as one; but unlike a simple jack knife, it’s a multi-purpose, multi-blade, do-it-all Swiss Army knife.
If used correctly, as a means for change rather than a singular solution for incentives, Mostashari believes that meaningful use can actually lead to population health management (the real reason behind meaningful use), more patient engagement (this is yet to be determined) and the creation of health information exchanges (yes, but we need interoperable systems before we see wide spread use of data outside their silos).
His ambitions are correct, and collectively, there is a fundamental agreement that meaningfully using EHRs will help accomplish all of these goals (though patient engagement may remain the stickiest of wickets). The problem here, though, seems to be that even though most physicians want to dive into the deep pool of big data, but they just don’t seem to be able to catch their breath.
In all walks of life we face the day-to-day grind of ongoing and seemingly never ending tasks that drive us further away from our goals. However, it’s different in healthcare. I just can’t seem to think of any other professional group (other than members of the military and police forces) under so much constant pressure to produce positive, long-term results for the people they serve.
In addition to making life and death decisions, our physicians and healthcare leaders are constantly facing the deluge of regulation and reform (meaningful use, ICD-10, HIPAA and even to a certain extend malpractice and 5010).
Healthcare professionals are overrun by details that have taken them into the weeds. Their days are long and their time is short. We can argue if electronic health records actually save them time and money. Depending with whom you speak, each person has an opinion as to its effect. Add everything I previously mentioned and it’s simply overwhelming.
I firmly believe that in a best case scenario, we’d be able to meet all of Mostashari’s proposed goals. Big data would (and can) lead to a changed system and provide real and personal stories of improved health outcomes. I believe that if we could clear away the clutter, we could begin building upon the foundation and create the best, most comprehensive, patient-serving healthcare system that produces results and actually changes lives.
But, for now, we live in a database world where no matter how meaningful we use them there’s still much left to be desired.