Guest post by Scott Walters, client services, INetU.
Whether they are cloud providers, EHR services firms or SaaS providers, technology companies that market to healthcare organizations are considered “business associates” under HIPAA. In the past, that meant customers often asked them to sign agreements assuring that they were employing best practices and would provide breach notifications to help customers maintain compliance.
As of September 13, 2013. however, changes to the guidelines were implemented that mean technology providers are now directly liable to the U.S. Department of Health & Human Services (HHS) for securing any PHI that they’re entrusted with. In addition to the increase in accountability, this first-hand responsibility also brings technology providers under the threat of fines that can now reach well into the millions of dollars.
The Cost of a Breach
The HHS Office for Civil Rights (OCR), the main enforcement body for HIPAA, has been gradually increasing fines for organizations that violate HIPAA compliance. The penalties have totaled well into the millions, with several organizations in the past few years receiving fines in excess of $1.5 million from OCR. In fact, according to data from the Department of Health and Human Services, HIPAA-covered entities and now business associates have paid more than $18.6 million to date to settle alleged federal HIPAA violations with $3.7 million of that coming from organizations in the last year alone. On top of this, there are often state and private legal settlements involved.
The Massachusetts Eye and Ear Infirmary (MEEI) is among the organizations that have experienced dramatic penalties firsthand, incurring fines of $1.5 million in 2012 after the theft of a laptop from an MEEI doctor who was traveling to Asia ended up exposing PHI. Blue Cross Blue Shield of Tennessee also paid $1.5 million in the same year following a breach of 1 million patient records stemming from the theft of 57 unencrypted hard drives from a leased training facility.
These two examples not only show the potential cost of a breach, they also demonstrate another quality that reaches across many of the violations to date – the fact that many of the biggest healthcare and HIPAA breaches are caused by unencrypted data and local storage of PHI. As technology providers offer services to manage this type of data, the onus to meet HIPAA regulations is more frequently falling on their shoulders. The upside to this is that, with some forethought, SaaS and EHR providers have the opportunity to make their cloud services even more HIPAA ready than their customers’ on-premise solutions.
Guest post by Jennifer Dunphy, clinical subject matter expert, Get Real Health.
You would think Barbara must be feeling pretty glum. After all, cancer has been part of her life on and off since 1981. She is battling a recurrence of her breast cancer, on top of having had a radical mastectomy and uterine cancer.
Yet, when Barbara used an Internet-based mental health screening tool recently to assess her risk for mood or anxiety problems, she finished the test with a score of six — indicating a low probability of suffering from mental health issues.
As an oncology nurse, I’ve seen how cancer and other chronic diseases can affect a patient’s mental and emotional wellbeing, as well as how their mental health can have a huge impact on their physical response to treatment and their ability to recover. So, assessing patients’ mental health is just as important as tracking their vital signs and white blood-cell counts.
Unfortunately, mental health has always been a tricky subject for everyone involved in a cancer patient’s life — from the doctor and care team to the patient and his or her family and friends. Uncertainty and a lack of clear ground rules for how to even talk about it often result in people simply avoiding the topic.
“Cancer used to be considered a death sentence,” Barbara recalls, “so everyone tiptoed around it and you were encouraged not to talk about it. It was like a little secret.”
While that’s changed a little over the years, she believes better communication is still very much needed.
“I would (address) the emotional aspect early on as part of the intake process,” says Barbara. “The doctors should be more upfront in the beginning about how they communicate your situation.”
That’s good advice, but easier said than done. While some doctors and nurses seem to be naturally gifted in their ability to talk with patients warmly and holistically, I’ve seen many others struggle to communicate about topics beyond the strictly medical.
It’s tough for a lot of patients as well. Barbara has been strong enough emotionally to reach out when she needs information or support, but many other patients are as uncomfortable discussing mental and emotional health as their caregivers.
The hard part is just getting the conversation started. That’s where technology has a pivotal role to play — and it can be as simple and accessible as the nearest smartphone, tablet or computer.
The online mental health screening tool Barbara used is called WhatsMyM3. She said she found it “easy to work with and user friendly, even for someone with a low computer proficiency.”
That feedback was music to my ears, because mental health screening technology has to be simple, quick and accurate in order to be widely adopted and used effectively. It also must serve as a two-way communication bridge between the patient and physician.
The M3 score isn’t simply a number. It’s an invitation for the patient and caregiver to take the next step and talk in-depth about what the score means, how the patient is feeling, what questions the patient might have that he or she has bottled up out of fear or awkwardness.
In other words, the technology enables a very human conversation to ensue. It’s a great example of technology creating a path to healing that would not otherwise have easily or naturally opened up. And it’s a tool that the care team can use as often as it deems necessary with that patient — including daily monitoring and communication if indicated by a higher M3 score.
WhatsMyM3 is powered by a product called M3 Clinician, an evidence-based Web and mobile reimbursable mental health screening app for mood and anxiety disorders, which was developed by Rockville, Maryland-based M3 Information LLC.
(Full disclosure: M3 partnered with my company, Get Real Health, earlier this year to integrate the M3 app into our InstantPHR product — a flexible and interoperable suite of Web-based health tools for personal health, data visualization and care management.)
Living with a chronic disease like cancer taxes the coping skills of every patient. Using technology to track and hopefully improve mental and emotional wellbeing gives patients one more tool to use in fighting what is likely the biggest battle of their lives.
Today, the Centers for Medicare & Medicaid Services (CMS) issued a proposed rule that would update fiscal year (FY) 2015 Medicare payment policies and rates for inpatient stays at general acute care and long-term care hospitals (LTCHs). This rule builds on the Obama administration’s efforts through the Affordable Care Act to promote improvements in hospital care that will lead to better patient outcomes while slowing the long-term health care cost growth.
CMS projects that the payment rate update to general acute care hospitals will be 1.3 percent in FY 2015. The rate update for long term care hospitals will be 0.8 percent. The difference in the update is accounted for by different statutory and regulatory provisions that apply to each system.
The rule’s most significant changes are payment provisions intended to improve the quality of hospital care that reduce payment for readmissions, and hospital acquired conditions (HACs). The rule also includes proposed changes to the Hospital Inpatient Quality Reporting (IQR) Program. The rule also describes how hospitals can comply with the Affordable Care Act’s requirements to disclose charges for their services online or in response to a request, supporting price transparency for patients and the public.
“The policies announced today will assist the highly committed professionals working around the clock to deliver the best possible care to Medicare beneficiaries,” said CMS administrator Marilyn Tavenner. “This proposed rule is geared toward improving hospital performance while creating an environment for improved Medicare beneficiary care and satisfaction.”
The proposed rule asks for public input on an alternative payment methodology for short stay inpatient cases that also may be treated on an outpatient basis, including how to define short stays. In addition, the proposed rule reminds stakeholders of the existing process for requesting additional exceptions to the two-midnight benchmark.
Guest post by Anil Jain, MD, FACP, chief medical officer, Explorys, and staff, Department of Internal Medicine, Cleveland Clinic.
Nearly every aspect of our lives has been touched by advances in information technology, from searching to shopping and from calling to computing. Given the significant economic implications of spending 18 percent of our GDP, and the lack of a proportional impact on quality, there has been a concerted effort to promote the use of health information technology to drive better care at a lower cost. As part of the 2009 American Reinvestment and Recovery Act (ARRA), the Health Information Technology for Economic and Clinical Health (HITECH) Act incentivized the acquisition and adoption of the “meaningful use” of health IT.
Even prior to the HITECH Act, patient care had been profoundly impacted by the use of health informationtechnology. Over the last decade we had seen significant adoption of electronic health records (EHRs), use of patient portals, creation of clinical data repositories and deployment of population health management (PHM) platforms — this has been accelerated even more over the last several years. These health IT tools have given rise to an environment in which providers, researchers, patients and policy experts are empowered for the first time to make clinically enabled data-driven decisions that not only at the population level but also at the individual person level. Not only did the 2010 Affordable Care Act (ACA) reform insurance, but it also has created incentive structures for payment reform models for participating health systems. The ability to assume risk on reimbursement requires leveraging clinical and claims data to understand the characteristics and needs of the contracted population. With this gradual shift of risk moving from health plans and payers to the provider, the need to empower providers with health IT tools is even more critical.
Many companies such as Explorys, a big data health analytics company spun-out from the Cleveland Clinic in 2009, experienced significant growth because of the need to be able to integrate, aggregate and analyze large amounts of information to make the right decision for the right patient at the right time. While EHRs are the workflow tool of choice at the point-of-care, an organization assuming both the clinical and financial risk for their patients/members needs a platform that can aggregate data from disparate sources. The growth of value-based care arrangements is increasing at a staggering rate – many organizations estimate that by 2017, approximately 15 percent to 20 percent of their patients will be in some form of risk-sharing arrangement, such as an Accountable Care Organization (ACO). Already today, there are currently several hundred commercial and Medicare-based ACOs across the U.S.
There is no doubt that there are operational efficiencies gained in a data-driven health system, such as better documentation, streamlined coding, less manual charting, scheduling and billing, etc. But the advantages of having data exhaust from health IT systems when done with the patient in mind extend to clinical improvements with care as well. We know that data-focused health IT is a necessary component of the “triple-aim.” Coined by Dr. Donald Berwick, former administrator of the Centers for Medicare and Medicaid Services (CMS), the “triple-aim” consists of the following goals: 1) improving health and wellness of the individual; 2) improving the health and wellness of the population and 3) reducing the per-capita health care cost. To achieve these noble objectives providers need to use evidence-based guidelines to do the right thing for the right patient and the right time; provide transparency to reduce unnecessary or wasteful care across patients; provide predictive analytics to prospectively identify patients from the population that need additional resources and finally, use the big data to inform and enhance net new knowledge discovery.
Guest post by Jay Savaiano, director, worldwide healthcare business development, CommVault.
Healthcare professionals are inundated with an abundant amount of ways that they can access and store clinical data. Healthcare IT departments are given the task of making sure the delivery of that clinical data is readily available and can be accessed via a myriad of devices, as well as in a secure manner that meets the compliance standards that the entire enterprise has agreed on upholding. The deluge of data and the ever-changing ways that the data is accessed is creating some major challenges and concerns for the majority of professionals who are responsible for managing the nation’s healthcare information stream.
In a recent nationwide survey of healthcare IT managers in enterprise organizations, 75 percent of respondents – up 14 percent from last year – indicated they were concerned about the protected health information (PHI) residing in Bring-Your-Own-Cloud (BYOC) solutions, such as Box or Dropbox. A large number of BYOC solutions even offer the first 2GB of storage for free, which may speak to their popularity.
Today, smart phones, tablets and computers that have helped proliferate the popularity of “Bring-Your-Own-Device” programs all come out of the box with some sort of free cloud-based storage solution. Though Intel and ReadWrite report that 49 percent of U.S. IT managers “Strongly Agree that BYOD Improves Worker Productivity,” when you couple BYOC with BYOD together and add protected health information to the mix, healthcare organizations can be opening themselves up to a tremendous amount of liability.
With the policies inherent in clinical applications themselves, it is easy to maintain the security of the content, which is often structured and rarely stored locally. However, the challenge revolves around the unstructured data with PHI. For example, if a clinician maintains a spreadsheet of basic patient data and he or she places that spreadsheet in a BYOC-type solution, both the clinician and the healthcare organization are putting themselves in a liable position. Only when cloud-based solutions are authorized by the healthcare facility and meet the organization’s compliance criteria – which can and usually dictates the cloud provider is willing to sign a business associate agreement in support of HIPAA – are the organization and clinician able to limit the potential liability impact. There can still be other factors that create new liability, but by making the limitation of rogue cloud storage a priority, healthcare organizations can better protect themselves against a potential data breach and subsequent lawsuit.
On the first day of HIMSS 2014 in Orlando, I stepped into a bewildering echo chamber. “We’re doing population health,” repeated everyone, be they physicians at a hospital whose EHR system my company implemented, the IT directors of other hospitals looking to update their EHR system or competing EHR experts. Everyone was interested in buying it, and everyone was interested in selling it. On one particular walk of the floor a colleague quipped, “Will there be a prize for the one millionth person to say ‘population health?’”
Despite this obsessive buzz nobody seemed able to define what population health is. It’s the proverbial elephant described by touch rather than sight. Is it a concept of health or a study of the various factors that affect health? Is it a course of action for the treatment of the population in its entirety or individual patients only?
The Affordable Care Act, which cites population health as an essential component of its mandate, aims to expand access to the healthcare delivery system, improve the quality of care, enhance prevention, make healthcare providers responsible for outcomes, and promote disease prevention at the community level.
All of this is commendable, but, in the end, what is population health? What does it look like? Will we recognize it if we achieve it? A friend of mine on the payer side observes that vendors claim it’s everything and providers don’t know exactly what they want it to be. Put those together and the term becomes meaningless.
There are additional questions about population health that remain unanswered. Is it an outcome, as the ACA approach suggests, or is it a foundation built on big data, analytics, ACO tools, bundled payments, systems consolidations or something else? At every HIMSS booth, the answer to these questions was a resounding “Yes.”
Guest post by Lysa Myers, security researcher, ESET.
Risk assessment is something we all do, every day, in healthcare and in our daily lives. Consider crossing the road. Should you cross at the lights? Can you trust the traffic to obey the lights? Doctors perform risk assessments when prescribing medications or evaluating a patient for an operation. Unfortunately, risk assessment for electronic health records (EHRs) is not fully understood or implemented by some healthcare organizations, especially smaller facilities that lack dedicated IT or security staff. Yet, this type of risk assessment is increasingly important to the success of healthcare-related businesses.
How do you proceed if your organization lacks the expertise to complete an EHR risk assessment? Because this is such a complex topic, the answer to that question could easily fill volumes. But we all have to start somewhere, so I will provide a basic description to steer you in the right direction to do more in-depth research on your own.
How to do an EHR risk assessment
There are four basic steps – the time and effort they require depends upon the size and complexity of your organization, and the thoroughness of your assessment. You may wish to do your assessment in multiple passes over time, getting more in-depth as you go. This turns a huge headache that must be dealt with all at once into something more manageable that can be revisited to keep up with changes as they occur.
According to a letter sent to clients, posted to HISTalk, Matt Hawkins, current Greenway Medical president is leaving the organization to accept an “exciting new leadership opportunity” outside the company.
Details were not released in the letter as to whether Hawkins is staying with Vista Equity Partners, the parent organization of Greenway. Hawkins has been with Vista for several years, including stints leading Vitera Healthcare Solutions and SirsiDynix.
Tee Green, Greenway’s CEO, is expected to take the helm.
I’m not sure if Hawkins’ departure will be felt deeply at the company or if there will be any ripple effect at Greenway since the Vista leadership team pretty much manages daily operations of the organizations it owns. Perhaps the biggest effect this development could have for clients are possible changes in strategy related to the company’s legacy systems, like Intergy and Medical Manager.
Still, this is a pretty interesting development given that the purchase of Greenway and its merger with Vitera and Success EHS is still so current.
For the record, I reported to Hawkins while I was worked at Vitera in its PR department (a Sage Healthcare transplant transitioned over during the Vista transaction), but I was among the 400 to 500 laid off in 2012 as Vista restructured the company into its portfolio.
