Guest post by Rachel Weeks, director at Courion Corp.
Medical records are confidential. Until a breach occurs and they are let loose on the public, which occurs more often than we think. We need to do better.
According to Ponemon Institute’s Third Annual Benchmark Study on Patient Privacy & Data Security, more than nine in 10 healthcare organizations have had at least one data breach in the past two years. Nearly half have had more than five data breaches in the same period. Breaches cost organizations more than $2 million on average over a two-year period, and the cost is rising. The potential annual cost is nearly $7 billion.[1]
As privacy and security concerns grow and technology becomes more sophisticated, you’d imagine breach rates would be on the decline. But more healthcare organizations are being victimized more often, according to the study, and most aren’t sure they can prevent or quickly detect all patient data loss or theft.
One contributor: data is simply becoming harder to control.
“Technologies that promise greater productivity and convenience such as mobile devices, file-sharing applications and cloud-based services are difficult to secure,” says the report. “Employee mistakes and negligence also continue to be a significant cause of data breach incidents. Another worry presented in this research is that sophisticated and stealthy attacks by criminals have been steadily increasing since 2010.”
You can’t blame the IT staff. There’s far more going on in the average healthcare organization than staff can reasonably handle.
Change is overwhelming
For years healthcare organizations have looked to traditional identity and access management (IAM) solutions to optimize efficiency and secure access to sensitive data. These IAM implementations typically started with user provisioning, a process that put controls in place to ensure users were given only the access rights they needed to do their job. Then, for governance, the organizations would perform periodic reviews or certifications – say, every three, six, nine, 12 months – to validate that those access rights were in line with policy.
But so much change can occur in the months between provisioning and certification: business changes, infrastructure changes, regulatory changes, new resources coming online, new roles and policies, not to mention hirings, firings and transfers, particularly in the healthcare industry with thousands of employees and many more contractors and affiliates. This creates an overwhelming amount of data detailing who has access to sensitive patient information. We call these intervals between provisioning and certification the “IAM security gap.”
As the Ponemon study says, “Many healthcare organizations struggle with a lack of technologies, resources and trained personnel to deal with privacy and data security risks.”
That’s an understatement.
However you characterize it, the IAM gap leaves an organization’s sensitive company information at risk to a range of threats, both internal and external. It can be months from the time someone gains inappropriate access rights or inadvertently accesses sensitive data to when the organization is able to discover it through periodic certifications. To date, existing IAM approaches have not provided the technology and flexibility to get a real-time view of policy and governance violations to help organizations efficiently manage the risk of improper access to patient data.
Closing the IAM Gap
Bridging the abyss between provisioning and certification requires clear understanding of what is actually happening in those billions of constantly changing access relationships created by changing people, computing resources, rights, duties and company policies. The challenge is somehow processing what human minds, or even relational databases, cannot. What’s missing is a real-time holistic view of access risk. The missing ingredient is access intelligence.
The only way to achieve access intelligence is by aggregating all the IAM data – the identity policy, activity, entitlement and resource data generated via those billions of constantly changing access relationships – into a data warehouse just like the ones you use for business intelligence in other areas of the organization. The data warehouse should embody advanced information security, policy and governance domain expertise. Then you need to constantly apply predictive analytics to that data to analyze access risk throughout your entire organization – literally every two minutes or so. Properly constructed, an access intelligence system like this can uncover deeply embedded policy violations or improper access. It can generate instant alerts on those violations, or produce graphical “heat maps” spotlighting looming risks and security breaches.
A system like this helps you find the needle in the haystack you wouldn’t otherwise discover. For example, a nurse might be authorized to search and retrieve his hospital’s pediatric records, but if he is suddenly retrieving records from oncology, dermatology and urology, well, that’s a potential problem that won’t show up without powerful analytics.
Such an access intelligence system can help healthcare organizations:
Identify risk in real time.
See where the greatest vulnerabilities lie.
See how access risk is changing.
Understand what is driving the risk.
Immediately remediate the risk.
Detect risk trends.
Predict future areas of risk.
Implement policies and preventive measures.
Fix the fundamental business process issue that creates security gaps before they become a problem.
With luck, Ponemon will have less to report in the years to come.
Rachel Weeks is a director at Courion Corp., the leader in risk-driven identity and access management.
[1] if every hospital/clinic in the country experienced the average impact
On its face, the CommonWell Health Alliancee really seems to hit the mark. A collection of the top EHR vendors coming together, sharing a stage and shaking hands; smiling; snapping photos of smiling happy CEOs. All together for one cause, or so the story goes: healthcare data interoperability. According to the “organization’s” website, interoperability is the cornerstone of healthcare’s future.
“Interoperability helps improve quality, reduce costs, enable regulatory compliance and ensure better access to healthcare for millions of people,” and so on and so forth.
Finally, CommonWell’s call to action: moving the healthcare industry beyond just recognizing the importance of interoperability, but moving the industry forward. CommonWell is supposed to be the health IT superhero that moved this giant boulder up the hill and positions it so eloquently on the top.
For those of us who didn’t know this already, CommonWell sums it up: “It’s time for healthcare IT organizations to come together and commit to achieving interoperability for the common good,” and so on and so forth.
So glad it took the giants of the industry to tell us as much.
Okay, so admittedly, this is a step in the right direction. It’s like putting big money behind a good cause. For everyone who has ever worked in the nonprofit trenches who spend their days begging the haves for the have nots, this a dream come true.
Those in the spot light can move us forward to a point where we must be. Allowing private enterprise to bear this mantle means we might finally make the move forward instead of being held back by the shackles of the federal reform and imposition.
After all, wasn’t interoperability a staple of meaningful use; an “industry consortium to adopt common standards and protocols to provide sustainable, cost-effective, trusted access to patient data,” if you will?
Because of meaningful use, we were supposed to be singing in circles by now, discussing all of the advancements we’ve made; our coming together and our ascending to the precipice. Alas, little has been attained through federally funded meaningful use except implementation and wars of words.
We waited, didn’t we? Long enough? Perhaps, perhaps not; depends on who you ask. Farzad Mostashari says we should wait a bit longer for the results to role in. The boys at Allscripts, athenahealth, Cerner, Greenway, McKesson and Relay Health (imagine the feelings of all the other vendor’s CEOs who were left out of this pre-arranged agreement; I guess there’s mincing words anymore) decided private enterprise is the way for things to actually get done.
And while it’s an interesting experiment, I think I agree with some of the other more intelligent folks in the field. Until we see some sort of actual forward movement with this initiative and until there’s some proof of life, this is really nothing more than a stake in the ground. A happy public relations move designed to flex a little corporate muscle on the industry’s largest stage.
With the annual HIMSS conference once again over, now is as good as any time to look back and pontificate on what the experience brought. For this piece, I once again reached out the readers of this site for their insight for their perspective, who are, after all, those benefiting from the show and its sessions.
It should be noted that I asked for pros and cons of the show, and I received mostly positive feedback, which doesn’t surprise me. However, don’t take that to mean this is a positive puff piece. On the contrary, I am trying to offer a fair and balance response from attendees that HIMSS leadership can use to plan future conferences.
Obviously, as each of us has been told at one time or another, criticism – good or bad – helps us grow, change and expand. With that, I welcome your comments, positive or negative about the show. Perhaps as a collective, we can help lead our community forward in a manner that’s most beneficial to all it stakeholders.
Without further ado, here are the comments from our colleagues about their reactions to HIMSS13.
Peter Ransome, vice president sales and marketing, Westbrook Technologies, Inc.
Pros: HIMSS was once again a tremendously successful event. Westbrook came away with new resellers, customers and partners. We had a great opportunity to network, learn and meet other vendors. Our team found great value in the keynotes and educational sessions and especially Farzad Mostashari’s final day keynote. Today, healthcare reform is focused on meaningful outcomes and disease management. The next wave of reform will put more emphasis on the value of preventive medicine. There are still a lot of error-prone paper processes that negatively affect the quality of patient care — even in a healthcare organization that has implemented a leading EHR system. We’ve found that more technology doesn’t necessarily result in better care. With more than 1,000 EHR vendors competing for the same healthcare dollars, consolidation is inevitable. It will be interesting to see how HIMSS changes in 2014 and how the industry is affected by rapidly accelerating acquisition activity.
Cons: (Apparently, the show was so good, Ransome listed no cons.)
Bill Fera, MD, principle, healthcare advisory practice of Ernst & Young
Pros: HIMSS has become an extremely valuable venue for gaining real-world examples of how organizations are advancing strategies to better utilize data for the improvement of patient care. Having so many industry influencers in one forum really makes HIMSS stand out — what I take away from networking and informal conversations can be just as useful as what’s formally presented in the sessions.
Cons: The challenge with HIMSS is the sheer volume of everything. The overload of information can become a distraction if you don’t allocate your time in advance and stay focused on what you want to accomplish.
Pros: HIMSS is well-organized and it had a great location this year in relations to access to airport and hotels. Additionally, education tracks were comprehensive and interesting, and there is a good assortment of attendees (institution and title).
Cons: At HIMSS, there’s not enough opportunity for partner networking. HIMSS should have a new/upcoming technology track (not just big vendors pitching products) and there should be better management of keynotes as managing overflow was challenging.
Christopher Ellis, director, Vree Health
Pros: There was clear industry movement toward technology integration and interoperability – this is a very positive step forward and something that was spoken to more than acted upon, until now. More consistently usable, structured data will open many avenues for leveraging data for better quality of care. Coming from this meeting, I am energized to see that many of the speakers emphasized that while technology is a great enabler, solutions must begin and end with the patient in mind. Providers and vendors that emphasize patient engagement, across varying levels of patient technology literacy, are positioning themselves well. The HIMSS conference was an excellent forum to survey different approaches to solving the same problems, including coordination of care, assessing health risk and patient engagement. Organizations that have a deep and long-standing heritage in healthcare clearly hit the mark on approaching these in ways that are reflective of provider operational flow.
Cons: Bring your walking shoes next year.
Thanks for all of your candid feedback, guys. I know HIMSS was considered a success this year, but there’s always room for improvement and growth, and it’s nice to be able to report such positive feedback for all in attendance.
If you have something to add, please leave a comment below. Thanks!
Guest post by Harry Jordan, vice president and general manager, healthcare for LexisNexis.
The most important question in identity management is not: “Who are you?” It’s “What do we need to know about you?” And nowhere is the answer to that question more critical than in healthcare, where inadequate systems and processes can not only threaten business integrity and success, but jeopardize lives, as well. Inevitably, it is time to shift the focus of the discussion of identity management away from authentication methodology and toward the broader healthcare context in which identity management is no longer a luxury, but a necessity.
Effective patient/member identity management springs from this fundamental question: “Given what we are trying to accomplish through this particular transaction, what do we need to know about this individual to insure safety, integrity and trust?” Or, more elaborately: “What do we need to know to prove this individual is who they say they are and that they are authorized to access the information being requested based on those identity credentials?”
The answer is determined by the intersection of multiple factors: your objectives; product and service characteristics; population demographics and attitudes; the nature, value and riskiness of the transaction being performed; the point in the process and relationship where it takes place; and organizational risk tolerance. Getting the answer right is critical to the sustainability of health care organizations and, more importantly, the safety of the individuals they serve.
Identity fraud is the fastest growing crime in the United States, affecting more than 11 million adults in 2010. Medical identity fraud is the fastest growing type of identity theft. The Ponemon Institute estimates the annual economic impact of medical identity theft to be nearly $31 billion.
Health care consumers will, and should, expect their data to be secure at all times in order to protect their financial and physical well-being. Health care stakeholders will demand solutions that ensure they are dealing with the right person, at the right time, for the right transaction, thereby minimizing risk and negative impact on their health care delivery decisions, the health of their patients and overall business performance.
As a recent Gartner report states, identity management is “increasingly recognized as delivering real-world business value,” and “identity management agility improves support for new business initiatives and contributes significantly to profitability.” Identity management is rapidly evolving to encompass emerging risks and application variability. There are tools you can put in place now to meet the increasing demands of identity management.
Point solutions and one-size-fits-all implementations are being supplanted by or absorbed into more comprehensive and flexible approaches. These solutions provide identity management coherency across processes and relationships, as well as identity management consistency across multiple channels and organizations.
At the same time, they enable organizations to efficiently implement a wide range of identity management tools that blend the right identity elements together with the appropriate view and assurance level for each transaction. Established organizations can layer new identity management capabilities onto existing systems in the form of services. Merely extending enterprise identity management solutions will not work.
Three key concepts are at the core of the most successful health care consumer identity management solutions. They are general principles shared by diverse business-specific implementations.
1. Identity management is as much about business as about security. Identity validation (or “resolution”), verification and authentication – commonly regarded as security functions – have far-reaching business ramifications. How you perform them can strongly shape your most direct and therefore vital interactions with patients, payers, providers and other healthcare stakeholders. Thus, while it is important, and sometimes mandatory, to follow industry standards, it is also critical to make sure that the way in which you implement identity management is tailored to your market, business plan and mission to maximize business goals and minimize organizational risk.
2. “Know your health care consumer” is the point of balance for multiple – and possibly competing – objectives. “Know your healthcare consumer” is a phrase that traditionally has different meanings to health care consumer service than it does for security management Service people are concerned with raising healthcare consumer satisfaction by increasing access and ease. Security people are concerned with reducing risk by restricting access.
3. Ask for only what you need to know. Knowing more can, in fact, enable you to ask for less information. In identity management industry jargon, the objective is “friction reduction” through “data minimization.” Improve the health care consumer experience by not asking for information you don’t need.
Strong security can be, for the most part, invisible to the user. Analytics operating in the background can spot links between healthcare consumer data and suspicious entities or recognize suspicious patterns of verification failure.
Analytics can be integrated with business rules to adjust the security level and trigger appropriate treatments or approval of treatments. They can also be used to determine if the current transactional pattern of behavior is unusual. Reacting to healthcare consumer responses in real time – taking business rules for different product lines, channels and types of transactions, and an entity’s tolerance for risk – an identity management service can make dynamic decisions about when to invoke additional and/or stronger measures.
The number of identity-reliant transactions engaged in across the health care continuum is multiplying rapidly and becoming ever more critical to the success of individual health care organizations. When dealing with any situation involving the sharing of a patient’s personal health information it is essential these organizations ask themselves the fundamental question about the individual or entity with which they will be sharing the information: “What do we need to know about you?”
This question is the starting place for all other questions in identity management. The right answer is the key to making identity management an enabler of great services accessed with ease and delivered at a low coast and minimal risk of fraud.
Harry Jordan is Vice President and General Manager, Healthcare for the risk solutions business of LexisNexis. He directs the healthcare business, offering capabilities in health management, predictive claims fraud analytics and health information exchanges.
Another day, another study, but this one – about the EHR user’s satisfaction levels with their systems – seems to have some teeth. According to the survey, “EHR Satisfaction Diminishing,” which was administered by the adept AmericanEHR group, users of EHRs are becoming ever more disenfranchised with their EHRS.
According to the AmericanEHR, data was collected over a two-year period of time, from 2010 through 2012. After two years of use, and in some cases longer, practice leaders and caregivers who have time to figure out their electronic collection systems and who are past the test-drive phase say they are not happy with the technology.
I’ve made this case before, but this is one of the primary reasons I strongly recommend physicians not getting locked into extremely long-term contracts. For example, some vendors require seven years. That’s way too long. Stay away.
Nevertheless, this could just be a standard response to the technology as a whole, but let’s get to the results of the survey. For brevity’s sake, I’ve cut what I don’t find to be significant. Some of the results noted here are amazing and eye opening; you decide.
Highlights include:
71 percent of respondents were in practices of 10 physicians or less;
The average length of time that survey respondents had been using their EHRs was more than three years at the time of the EHR satisfaction survey;
Satisfaction and usability ratings are dropping. This holds true regardless of practice size, specialty type and across multiple vendors;
Overall, EHR user satisfaction reveals a 12 percent drop in satisfied users from 2010 to 2012 and a corresponding increase in very dissatisfied users of 10 percent for the same period;
In 2012, 39 percent of clinicians would not recommend their EHR to a colleague (I’m not surprised by this, especially given my experience with vendors);
Average satisfaction level with the ability to improve patient care decreased from 2010 through 2012 for all specialty groups;
Satisfaction with ease of use dropped 13 percent between 2010 and 2012 and 37 percent reported increased dissatisfaction in 2012;
34 percent of users in 2012 were very dissatisfied with the ability to decrease workload compared to 19 percent in 2010.
Why is this happening (according to AmericanEHR)? The following hypotheses may explain some of these findings:
With Meaningful Use, users may have lost some of their workarounds or have new ones that they have to do e.g. clinical visit summary that now takes 10 clicks and as a result workflow may feel more cumbersome;
The difference between cognitive versus procedural specialists. If one asked the majority of physicians how they would rate the quality of care they provide, most would likely say very good to excellent. Unless these physicians regularly use dashboards and reports they do not know whether they are doing better using an EHR. This is more challenging with procedural specialists such as a thoracic surgeon or orthopedic surgeon. It is not clear how the EHR helps with improving quality of care for proceduralists;
As we have further analyzed the data in related to satisfaction with the ability to improve patient care by duration of EHR use prior to completing the EHR satisfaction survey, there appears to be a strong correlation between length of use an EHR and ability to improve patient care especially in those who have been using an EHR for 5+ years. This could suggest that there is a minimum period of time that someone has to use an EHR before beginning to demonstrate improvements in patient care;
Dissatisfaction may also be a result of being asked to do something with an EHR that previously was not required (prior to Meaningful Use);
There continues to be an inability to complete certain tasks electronically despite having an EHR. For example, ACOs that require a paper form to be completed for registration of each patient in a pay-for-performance program, resulting in increased workload and decreased productivity/satisfaction.
Additional observations (which are amazingly insightful):
The speed of change in relation to the Meaningful Use program may be too much too fast for many practices who are unable to cope the demands and workload;
Different populations have different expectations. The pioneers and early adopters have a greater tolerance for the problems and challenges of implementing an EHR vs. those in the mid or late majority;
EHR systems clearly have usability issues which need to be addressed even with respect to basic functionality.
Recommendations (here’s the real gold):
Training is a significant deficiency. Training is required at all stages of adoption, both at time of implementation and as more advanced functionalities are required or integrated with EHRs. Almost 50 percent of respondents in a 2011 AmericanEHR report on the correlation of training duration with EHR usability and satisfaction reported receiving less than three days of training to use their EHRs or no training at all;
Dissatisfaction levels with basic EHR functionalities highlight the need to improve existing technologies rather than just focus on adding new features and capabilities;
Clinician workload within the practice must be re-balanced. Providers are working harder and face numerous additional challenges including the impact of payment reform and the need to comply with multiple incentive/penalty programs.
In closing, according to AmericanEHR: “If these issues are not recognized and addressed, the alternative is that clinicians will do the bare minimum in order to meet meaningful use requirements.”
Along with HIMSS’ largest money maker of the year — its annual conference — it’s also time for the results of its annual leadership survey.
While the results, which are reflected in the infographic below, are certainly interesting there is one point that seems to raise a flag immediately.
Prior to that, however, let’s take a quick look at the results. Accordingly, about 66 percent of the all health IT leaders say their organization qualified for meaningful use Stage 1 and 75 percent of the same folks expect to qualify for Stage 2. Additionally, nearly 90 percent of those who took the survey say they be ready for the ICD-10 switch later this year.
As such, there’s quite a need to hire new IT folks to carry the torch.
Next, it appears that nearly 20 percent of respondents said their health systems’ security was breech (at least those who admitted as much) and that 22 percent of said security was a priority for the coming year, which should be the case if 20 percent of them faced a security issue.
I understand the scope of the survey and who its respondents are, but doesn’t it strike anyone else as slightly odd that all of the changes to come are related to the IT? All, or much, of the reform is designed to engage patients and bring them closer to their care providers? Shouldn’t it be implemented to help improve outcomes and to drive better results and make the system more fluid? I guess IT is going to be what get’s us there. But along the way, couldn’t more be done at the care level as well as the IT level? Could some of the hiring take place to serve patients rather than the practice?
I digress. Apparently, for now, we’ll have to be thankful that all of this change is leading to improved job growth and fixes to the breeches that await us.
A straightforward piece of news from TEKsystems Healthcare Services, a provider of workforce planning, human capital management and IT services to the healthcare industry, showing the following results a joint survey with HIMSS Analytics regarding health organizations’ readiness pertaining to the implementation of electronic health record (EHR) systems.
According to TEKsystems, the survey shows insights into the status of EHR implementations, the challenges healthcare organizations face and areas of improvement; TEKsystems and HIMSS Analytics surveyed 300 single and multi-hospital organizations and health professionals throughout the United States. Key findings include:
Current State of EHR Implementations
Nearly 39 percent of hospitals have surpassed Stage 4 of the HIMSS Analytics Electronic Medical Record Adoption Model (EMRAM).
Currently less than half (43 percent) of integrated delivery systems or single hospital systems have completed their EHR implementation.
Achieving end user adoption
Nearly two-thirds of healthcare professionals (64 percent) believe achieving adoption is a roadblock to a successful EHR implementation.
“Achieving meaningful use and truly improving the quality of patient care can only happen if end users fully adopt a new EHR system in an acceptable timeframe. Organizations expect their people to adapt quickly, yet many do not plan for end user training until late in the effort,” says , TEKsystems vice president of healthcare services. “Upfront training strategy development would allow for the identification of key competencies and performance indicators. As organizations transition from implementation to day-to-day operations, any deficiencies in the ability to meet the targets can be pinpointed to either a specific user group, department or globally as indicated by analytics and aligning remediation accordingly. Developing an effective adoption strategy is a critical step that needs to be detailed earlier in the process and carried throughout the life of the initiative. That includes finding the appropriate resources necessary for building, integrating and conducting the training.”
Bringing in the right people and skills
Sixty-six percent of respondents cite the challenge of finding the right workers with the right skills for the implementation. More than half struggle with finding the right people to build a training program (57 percent) or lead the classroom discussions (53 percent).
“The supply of HIT talent is not keeping pace with the demand – from clinical trainers, builders and consultants to project and program managers. Finding the necessary resources can be a daunting task for many organizations, but one that is essential to achieving a successful EHR implementation,” continues Kriete. “That includes finding the right principal trainers and scaling to meet the overall training and adoption needs.
Conducting an impactful training experience for the end users
According to more than three-quarters of healthcare professionals, results of poor EHR training implementation include: rework (85 percent), lack of applicability to real-world scenarios (84 percent), low levels of user adoption (84 percent), long learning curves (82%) and inability to leverage the system for meaningful use (77 percent).
“The importance of effective training cannot be overlooked. To avoid these outcomes, organizations must proactively build a customized training program that is led by educators with clinical and technical EHR experience. The training cannot simply be ‘off-the-shelf.’ It should align with the overall organizational goals, workflows, technical requirements and end-user job roles” states Kriete. “One method for ensuring a training program is effective and builds confidence within an organization is to engage end users, those using the system on a day-to-day basis, in the development of the curriculum.”
“In addition to leveraging end users in this process, efforts should be taken to combine synchronous and asynchronous learning methods to foster a learning environment that meets the needs of the adult learner and their hectic schedules and a learning environment that is not bound by space or time” says Von Baker, TEKsystems healthcare practice director.
Including end users in the process
Overall, less than half of clinical end-user stakeholders are deemed completely engaged in the program; even the trainers for the new system are not fully engaged, with only 59 percent reporting their trainers are completely engaged in the process.
“This study shows the majority of executives and decision makers are engaged in the implementation process, but unfortunately, this is not the case with end users. Giving end users the opportunity to provide feedback during the development of and during the training boosts their sense of ownership and increases their confidence in the system post-implementation,” comments Baker.
Continuing to support end users after go-live
More than 50 percent of healthcare organizations anticipate end users will need more than six months to adapt to the new system.
“The work does not stop once the implementation is complete. Providing post go-live support is critical to ensure the end users fully adopt the system. Best practice is to create performance support tools for end users to have ready access to how-to reference guides when the needs arise – self service. The right blend of performance support tools depends on the organizations culture, internal drivers (i.e. varied workflows, varied specialties, and geographically dispersed facilities), and available technology. Underestimating the amount and degree of post go-live support can cause a decrease in productivity and performance and increase end-user frustration,” concludes Baker.
About TEKsystems Healthcare Services
TEKsystems Healthcare Services is dedicated to providing workforce planning, human capital management and IT services to the healthcare industry. Utilizing its suite of services, including EHR Implementation Support, ICD-10 Support and Data Services for BI, Reporting and Data Warehousing, they help healthcare organizations accomplish critical initiatives related to meaningful use, compliance, analytics, network transformation and revenue cycle management.
Thanks to Ken Perez, senior vice president of marketing and director of healthcare policy at MedeAnalytics, for forwarding me the following very concise, yet detailed information about the sequester and its impact on healthcare from a white paper he drafted on the subject.
For those of you wanting to know more about how the sequestration came to be and the purpose for the reduction in spending over the next 10 years, Perez and MedeAnalytics do a great job describing the reasoning for it and its potential impact to the healthcare community in “The Sequester: Analysis of Its Impact on Healthcare.”
Thanks, Ken, for offering us a nonpartisan view of the sequester. We appreciate the objectivity to what’s become a very subjective debate. If after reviewing the following information and you have any questions or comments, leave them in the comment section. If they are for Perez, I’ll make sure he gets them and can respond.
Background of the Sequester
The Budget Control Act of 2011 (BCA) was the compromise legislative solution that enabled the United States to get through the debt crisis of the summer of 2011. The act was passed by the House of Representatives on Aug. 1, 2011, by a vote of 269-161, and by the Senate on the following day by a vote of 74-26. The BCA was signed into law by President Barack Obama on Aug. 2, 2011 as Public Law 112-25.
The intent of the BCA was to rein in long-term federal spending and raise the debt ceiling. To those ends, it put in motion $917 billion in cuts to discretionary spending (excluding Medicare) over 10 years and raised the debt ceiling by $900 billion.
In addition, the BCA created a 12-member Joint Committee of Congress (also known as the “Super Committee”) to produce proposed legislation that would reduce the deficit by at least $1.5 trillion over 10 years.
The act mandated a sequestration process (or sequester) that would be triggered if the Joint Committee was unable to agree upon a proposal with at least $1.2 trillion in spending cuts. Ultimately, to no one’s surprise, the Joint Committee failed to reach an agreement, and the sequestration process was triggered. Per the sequester: 1) The President could request a debt limit increase of up to $1.2 trillion; and 2) across-the-board cuts equal to the debt limit increase would apply to both mandatory and discretionary programs, with total reductions split equally between defense and non-defense functions.
The across-the-board spending cuts would be implemented from FY 2013 through FY 2021, a period of nine years, and apply to both mandatory and discretionary programs. The cut to Medicare would be capped at two percent and limited to cuts to provider payments.
Exempt from the cuts were Medicaid, welfare programs (e.g., food stamps), and other low-income subsidies, as well as Social Security, veterans’ benefits, civilian and military retirement, and net interest payments.
What would be the annual reduction by function of the sequester? Per Table 1, starting with the total reduction of $1.2 trillion to be applied over the nine-year period, a specified 18 percent for debt service savings is deducted, and then the result is divided by nine to arrive at the annual reduction of $109.3 billion for each year for FY 2013 through FY 2021. In every year, the annual reduction is split evenly between defense and non-defense functions, resulting in a $54.7 billion reduction for each function.
The Impact on Medicare of the Original Sequester
According to a September 2012 report from the Office of Management and Budget (OMB), the sequester would pare Medicare in FY 2013 by $11.8 billion, with the following distribution of the cuts:
Medicare Part A: $5.8 billion
Medicare Part B: $5.2 billion
Medicare Part D: $0.6 billion
Sundry (including affordable insurance exchange grants, program management, state grants and demonstrations, and fraud and abuse control): $0.2 billion
The American Taxpayer Relief Act of 2012
In early January 2013, Congress averted the so-called “fiscal cliff” by passing the American Taxpayer Relief Act of 2012, Public Law 112-240, which, among many things, pushed out the implementation of the sequester until March 1, 2013, reducing the total cut for FY 2013 by $24 billion or 22 percent to $85.3 billion.
The Enactment of the Revised Sequester and Its Impact on Healthcare
Through March 1, 2013, President Obama and congressional leaders were unable to reach an agreement to avert the automatic spending cuts of the revised sequester.
According to the Congressional Budget Office and per Table 2, for FY 2013, the total cut of $85.3 billion includes $42.7 billion in cuts to defense, $9.9 billion in cuts to Medicare, and $32.8 billion in cuts to other non-defense programs.
Medicare accounts for 12 percent of the total cut and 23 percent of the nondefense portion. How might the $9.9 billion in cuts to Medicare be allocated? In the absence of further guidance from the OMB, a reasonable approach would be to apply the same proportions as the aforementioned September 2012 OMB report. This would yield the allocation reflected in Table 3, with Medicare Parts A and B sustaining the lion’s share of the cuts.
Medicare Part A could be cut by $4.9 billion, which could include an estimated $3.1 billion cut to the Hospital Inpatient Prospective Payment System (IPPS). This cut to the IPPS would translate into an estimated $0.9 million reduction in Medicare reimbursement for the average hospital.
Medicare Part B could be cut by $4.4 billion, which could include an estimated $1.7 billion cut to physician payments and a $0.7 billion cut to the Hospital Outpatient Prospective Payment System (OPPS).
According to the rule for sequestration, reductions in Medicare will begin in the month after the sequestration order is issued, i.e., April 2013, thereby delaying some of the effect on outlays until the ensuing fiscal year. Thus, for the federal government’s FY 2013, which ends September 30, 2013, the following could be the actual cuts:
IPPS: $1.55 billion
Physician payments: $0.85 billion
OPPS: $0.35 billion
Conclusion
The sequester clearly affects healthcare providers in FY 2013 in a material way. Unless it is repealed by Congress, the BCA — with its annual $109.3 billion sequester cuts for each of the next eight years — will raise the specter of two-percent funding reductions for hospitals and physicians on a yearly basis.
Because of the significance of healthcare to the federal budget and the nation’s economy, the broader philosophical and fiscal debate between the two political parties on what is the best way to reduce the deficit and engender economic growth will continue to impact the reimbursement rate-setting process.
