The handling and sharing of medical records is a critical and sensitive issue, and one that affects millions of providers, patients and payers every day. According to the Center for Disease Control and Prevention, Americans alone make more than a billion visits to doctors’ offices, clinics and hospitals annually, so one can only imagine how often medical records exchange hands between patients, physicians, specialists, healthcare organizations and their staff.
Test results, images, medical and billing history and other related information continue to be mailed, faxed and—more commonly—emailed between interested parties. Email is the most popular of these options because it combines the wide accessibility of snail mail with the immediacy of fax transmission. But email as a means of sharing sensitive healthcare data lacks in three critical areas: security, regulatory compliance and working with large files.
Security, privacy and protection
Gaps in email security should have doctors and patients sweating bullets any time they attach medical information to an email and hover their cursor over the “send” button.
The overarching problem lies in the encryption, or lack thereof. Like CDs and popular online sharing services, medical records transmitted via email are generally unencrypted. This is the case not only in transit, but also when they sit on the servers of the email providers. Thus, sensitive medical information lies vulnerable at all times.
Exchanging records by email means exposing patients’ personal information and their entire medical histories to a nefarious underworld of hackers seeking to exploit such information. It may include the most personal and private information, from social security numbers to diagnoses for chronic illnesses. Should information get in the wrong hands, there’s no predicting the extent and impact of the consequences.
Guest post by Dr. Christopher Ray, chief technology officer of Medical Information Records, creator of AnesthesiaOS, a cloud-based EHR solution for anesthesiologists and winner of Dell’s “Advancing Medicine” Healthcare Innovation Challenge.
Mobility and Bring Your Own Device (BYOD) strategies are transforming all aspects of healthcare by enabling physicians, nurses and medical staff to improve the delivery of care while enhancing patient outcomes and safety.
The upsides are impressive: Fast, responsive, agile solutions that streamline healthcare workflows and harness big data to deliver smarter care and more personalized medicine. By enabling providers to use preferred devices and mobile cloud software, mobility can help transcend how electronic medical records (EMR) are captured, accessed and viewed.
When it comes to mobility and BYOD in healthcare, however, security and compliance must go hand-in-hand. In creating AnesthesiaOS, a fully mobile anesthesia information management system (AIMS), we focused on providing greater efficiency in practice management while ensuring the highest levels of safety and integrity for protected health information (PHI).
To that end, creating, achieving and maintaining compliance with both patient privacy and healthcare standards was accomplished by leveraging the following set of comprehensive best practices:
Protect, Identify and Confirm All Regulated Data
The biggest challenge healthcare organizations face today is preventing information from ending up in the wrong hands. Since protecting information is an overarching goal, it’s crucial to identify all regulated data that will be generated on, accessed from, stored on or transmitted by a mobile or BYO device.
Guest post by Mitchell Goldburgh, cloud clinical archive product manager, Dell.
Stage 2 meaningful use criteria require providers to make diagnostic reports and associated images accessible through a certified electronic health record. That presents a difficult hurdle for many hospitals, especially community hospitals that are not connected to a large health system. And with the plethora of EHRs in use across healthcare, the task may be difficult for some multi-hospital systems.
This is a watershed moment for many imaging practices, and Stage 2 requirements may be the factor that sends most imaging files to a vendor-neutral archive (VNA).
Knowing that Stage 2 will require facilities to integrate their medical images with EHRs, the best VNA providers have in place automated tools that can integrate these files with all of the major EHRs and with many of the smaller EHR vendors. The value of a VNA comes from local and remote content brought to EHRs with a consistent presentation of results and images at the point of clinical care. VNA solutions offer a global viewer with a common toolset to navigate documents and imaging content, thus simplifying the access and freeing users from the need to learn multiple application navigations.
As technology in imaging increases the complexity of data, the presentation of information consistently for non-imaging specialists within the accountable care group becomes crucial to “customer” satisfaction with the imaging services. But VNA software is only a part of the solution – an integrated model that simplifies delivery of content can best be achieved with a service delivery model enabled with cloud content management.
Archiving-as-a-serviceis the model for the future
So what does this model entail? A good vendor-neutral archiving solution enters the scenario once a clinical exam is reported. At that point, the job of the PACS is done. The exam file is transmitted to an on-site server (supported by your archiving service provider) that transforms it into a vendor-neutral format. Current files are stored on site for fast access and also uploaded to a secure cloud platform. At this point content notification occurs, informing external systems that the report and clinical imaging data are available. In this model clinicians can view content anywhere, from any device, either as a stand-alone application from the VNA or through the web-enabled EHR accessing the VNA.
IDC Health Insights announces a new report, “Business Strategy: Thwarting Cyber Threats and Attacks against Healthcare Organizations.” that features findings from the 2014 IDC Insights Cross Industry Cyber Threat Survey. The report is designed to gauge how financial services, healthcare provider organizations and retailers are responding to increasing cyber threats and the impact of successful attacks on business operations. The study also highlights how healthcare organizations are investing in their cyber strategy to protect their most valuable electronic assets.
Today’s healthcare organizations are at greater risk of a cyber attack than ever before in part because electronic health information is more widely available today than in the nearly 20 years since the Health Insurance Portability and Accountability Act was passed in 1996. Cyber criminals view healthcare organizations as a soft target compared to financial services and retailers because historically healthcare organizations have invested less in IT, including security technologies and services, than other industries, thus making them more vulnerable to successful cyber attacks.
The value of health information, which can be used to commit medical fraud, is surpassing the value of social security and credit card numbers on the black market, thus increasing the attractiveness of stealing health information.
Key findings include:
After physical loss or theft of a laptop, mobile or portable device, malicious hacking or IT incident was the most common breach reported on the Department of Health and Human Services (DHHS) website. In 2013, 20 (out of 175) breaches related to hacking or an IT incident represented 9 percent of the individuals affected and 11.4 percent of the attacks.
All respondents of the 2014 IDC Insights Cross Industry Cyber Threat Survey reported that they had experienced a cyber attack in the past 12 months; 39.4 percent reported that they were attacked more than 10 times and 27.1 percent of the attacks were described as “successful attacks.”
Security is a top IT initiative for health care providers. In 2014, according to the 2014 IDC Global Technology and Industry Research Organization IT Survey, security and risk management technologies was the number 1 initiative (29.0 percent). In 2013, it was also the top ranked initiative (20.1 percent).
Approximately one out of four cyber attacks had an impact on normal business operations. The majority of respondents (52.2 percent) indicated that the shortest impact lasted less than an hour and 43.3 percent reported that the longest duration was between eight and 24 hours.
The overwhelming majority of healthcare executives reported that their spending on cyber threats increased (59.6 percent) or stayed the same (38.3 percent) over the last three years. On average, the increase for those respondents that reported an increase was 14.8 percent.
Consumers highly value their privacy according to a recent 2014 IDC Insights Cross-Industry Consumer Experience Survey, but are not as confident that healthcare organizations were adequately protecting their data. Concerned consumers are willing to end a healthcare relationship after a breach, including changing their care providers (21.6 percent) and changing health plans (5 percent).
Guest post by Reed Liggin, founder and president, RazorInsights.
Since the Health Information Technology for Economic and Clinical Health (HITECH) Act was signed into law in February 2009, rural, community and critical access hospitals are turning to electronic health record (EHR) systems to receive significant incentive payments based on meeting meaningful use regulations. However, the impact on workflow makes achieving a return on investment (ROI) after implementation challenging. Additionally, the burden is placed on these hospital’s small IT departments to meet federally mandated deadlines such as meaningful use.
According to a 2014 HIMSS Analytics survey, 83 percent of healthcare providers are using cloud services. Compared to server-based networks, the cloud is especially beneficial to rural hospitals because of the lower upfront, implementation and maintenance costs, resulting in increased ROI. The cloud system’s pay-as-you-use method removes the need for expensive hardware, and the accessibility and security of patient records improves efficiency and patient care, allowing hospitals to prove they are meaningfully using EHR technology.
Implementation and Maintenance
Because of budgetary restraints, rural hospitals typically have outdated technology and some areas do not even have computers. Recently, I visited a hospital with only one computer on each floor and no EHR system in place at all. Because of this, these hospitals must implement user-friendly healthcare technology that is easily implemented across the network– even for clinicians with limited or no experience in a high-tech environment. This type of easy-to-use EHR systems not only improves patient care, but also helps hospitals qualify for federal incentive payments. However, time is running out. Hospitals only have one more year to receive incentives for being MU compliant. After this timeframe they not only won’t receive payments, but they will be penalized financially for not meeting regulations, which is especially detrimental to smaller hospitals.
Cloud-based solutions allow hospitals to deploy EHR systems quickly and at a lower cost. While server-based EHR systems can cost $40, 000 or more, a cloud network does not require any hardware to be installed on-site. Therefore, upfront, implementation and maintenance costs are much lower than a server-based solution. Less hardware means less opportunity for failure – thus, maintenance costs decrease drastically as the lifespan of a cloud-based system is much longer than a physical server solution.
Guest post by Dr. Seth Flam, board certified in Family Practice and co-founder and CEO of HealthFusion.
CMS has some good re-imbursement news for primary care physicians for 2015: It has announced a new chronic care management program starting January 1 that will allow providers to bill for providing care management for patients with chronic conditions.
In other words, primary care providers can get paid for care they likely already provide.
With this new program, chronic care management can provide a good source of revenue for a practice, if designed, managed and billed correctly. Since a provider can bill $42.60 per patient per month, with a reasonable number of patients with chronic conditions in the practice, a provider can easily see revenue of more than $50,000 per year.
Annually: $511.20 per year per patient X 100 patients = $51,120 per year
(Assumes the provider bills for each patient 12 months out of the year)
But—there are very specific things providers need to know about the program, and particular requirements they need to follow in order to get paid. Here is a preview of some of the requirements:
Identify chronic care patients who qualify.
Eligible patients include those with two or more chronic conditions expected to last at least 12 months, or until death, that place the individual at significant risk of death, acute exacerbation/decompensation, or functional decline.
Only one provider can bill for the chronic care management code for a patient in a 30-day period.
The billing provider must have a signed agreement with the patient allowing them to bill for these services and detailing cancellation rights, co-payments and types of services.
Among other things, the provider needs to supply 20 minutes or more of chronic care management services per patient per 30 day billing period.
The provider will need to create a patient-centered care plan document compatible with the patient’s choices and values.
The provider must provide either a written or electronic copy of the care plan to the patient.
The provider will need to manage care transitions between and among health care providers and settings.
Bill in accordance with CMS requirements using CPT code 99490, making sure the practice’s EHR software provides the information needed to manage and bill for this program.
Begin the process of establishing practice processes and gathering patient agreements soon, although the program doesn’t go into effect until 2015.
The International Data Corporation (IDC)Health Insights, as it reported on its webinar, “IDC FutureScape: Worldwide Healthcare 2015 Predictions,” highlights the healthcare predictions for 2015 based on the IDC FutureScape report, which provided organizations with insight and perspective on long-term industry trends along with new themes that may be on the horizon.
As healthcare costs rise, operational inefficiency will become critical at 25 percent of hospitals resulting in the development of a data-driven digital hospital strategy requiring budget in 2016.
Also, the following are several more predictions based on the firm’s insights and research:
By 2015, 50 percent of healthcare organizations will have experienced one to five cyber attacks in the last 12 months with one out of three attacks deemed successful requiring healthcare organizations to invest in a multi-prong security strategy to avoid disruptions to normal operations and incurring fines and notification costs.
Driven by the increased pressure to improve quality and manage costs, 15 percent of hospitals will create a comprehensive patient profile by 2016 that will allow them to deliver personalized treatment plans.
By 2020, 80 percent of healthcare data will pass through the cloud at some point in its lifetime, as providers seek to leverage cloud based technologies and infrastructure for data collection, aggregation, analytics and decision-making.
As a result of an increased focus on improving the consumer experience, 65 percent of consumer transactions with healthcare organizations will be mobile by 2018, thus requiring healthcare organizations to develop omni-channel strategies to provide a consistent experience across the Web, mobile and telephonic channels.
To control spiraling healthcare costs related to managing patients with chronic conditions, 70 percent of healthcare organizations worldwide will invest in consumer-facing mobile applications, wearables, remote health monitoring and virtual care by 2018, which will create more demand for big data and analytics capability to support population health management initiatives.
Building on continuing technology innovation and the increasing use of knowledge-based workflows and actionable analytics, more than 50 percent of big data issues will be reduced to routine operational IT by 2018, reducing the need for specialized IT resources to support big data.
With increased dependence on external partners for outsourced services, more than 50 percent of health and life science buyers will demand substantial risk sharing by 2018 to ensure that service providers recognize their growing role in the process and delivering added revenues to high performers at the expense of satisfactory or lesser performers.
As a result of increased pressures to deliver better outcomes of care more efficiently, payers implement newer reimbursement models for 35 percent of their payments to providers in NA and EU within the next 36 months resulting in related investments in quality measurement, payment and billing systems.
By 2020, 42 percent of all healthcare data created in the Digital Universe will be unprotected but need to be protected, as use of data and analytics continues to proliferate and more stakeholders are involved in delivery of care.
Bob Chaput, MA, CISSP, HCISPP, CRISC, CIPP/US, CEO and founder, Clearwater Compliance.
HIPAA-HITECH regulations have never been more strictly enforced, yet reported breaches continue to pile up in record numbers and data has never felt so unsafe. So, what gives? For one, it’s no secret to those who are paying attention that healthcare is the next cyber security battleground. We have entered an unprecedented era where cyber attacks are becoming more frequent and more sophisticated with every passing day. Medical ID theft is on the rise, and it seems hackers have healthcare squarely in their sights.
Of course, cyber threats are only part of the equation. Healthcare organizations are even more vulnerable to insider breaches caused by the actions of their employees (both intentionally and unintentionally).
The simple truth is that information risks are growing faster than most organizations can adequately respond to them. And while most organizations are completing their compliance checklists, few have embraced a comprehensive approach to information risk management. A shift in terminology, philosophy and approach are all needed. And fast.
In response to a changing healthcare landscape; a stark increase in the threats posed to maintaining the confidentiality, integrity, and availability of healthcare information; and a shift in focus by the Office for Civil Rights (OCR) and other regulatory bodies from compliance to risk management, healthcare organizations need to fortify their capabilities around safeguarding sensitive data across their entire enterprise.
This includes ensuring you are aware of all information assets used to create, receive, maintain or transmit all sensitive data across your organization; the vulnerabilities of those assets; the various threat agents and the controls you currently have in place to safeguard those information assets from exploitation of those vulnerabilities by those threats.
IDC Health Insights
