Decoding the New HIPAA Privacy and Security Rules

Andrew Hicks

Guest post by James D. Brown, CTO, StillSecure and Andrew Hicks, Director, Healthcare Practice Lead, Coalfire

In January, the U.S. Department of Health and Human Services (HHS) announced updates to the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security rules. These new rules will took effect on March 26 and business associates have until September 23, 2013, to reach compliance. Under HIPAA, a business associate is defined as a person or entity that performs certain functions or activities that involve the use or disclosure of electronic protected health information (ePHI) on behalf of, or provides services to, a covered entity. So what exactly do these new rules mean for our partners and clients?

First, it is important to note that the new rules are really just formalizing and strengthening many of the changes that were announced in the 2009 Health Information Technology for Economic and Clinical Health Act (HITECH Act), which clearly defines when HHS needs to be notified of a breach, as well as increases the penalties applied around non-compliance.

James D. Brown

Also, the biggest change that should be noted is that the regulations between business associates and subcontractors (for example a health information organization and its cloud service provider), are now assumed to be held to a business associate agreement (BAA). In the past, subcontractors could choose to opt out of signing any agreement, which essentially limited liability should HHS come knocking.  Under new regulations, it is clear that any healthcare provider that comes in contact with actual ePHI must sign a formal business associate agreement, making each and every subcontractor liable during a breach.

Stated differently, this means that anyone who deals with ePHI should carefully read the new rules and understand how they will be directly liable for compliance. We will start to see a shake out in the business associate companies – healthcare facilities should closely examine whether a business associate agreement is signed just to win business, or is signed by a company that actually will be accountable for HIPAA requirements and take them seriously throughout the course of the relationship.

It is also important to note that under the new regulations, it is crystal clear that business associates are directly liable for compliance and can be fined, along with the actual health care provider as a covered entity.

Here are the top five issues that organizations need to be aware of:

1.       Not knowing that they need to be compliant. Many people do not realize that shredding companies and office cleaning crews that may see patient data without realizing it are now liable. Anyone that has access to ePHI, regardless of their position and how far removed they are from the covered entity, is in full scope now.

2.       Lack of solid inventory of where data lives. Data is constantly being transmitted back and forth via applications, web servers and file servers. However, many organizations lack a comprehensive inventory of where all of this data lives. This makes it difficult to accurately assess the risk of data storage. Participants must be able to control physical access to patient information and proactively protect against inappropriate access to the data at every exchange point. This is impossible to achieve without a solid inventory.

3.       Risk analysis and data classification. Under HIPAA, there is a clear requirement that companies need to complete a thorough risk assessment of the storage, processing and transition of ePHI data. This risk to data needs to be clearly defined and any controls that are in place need to be outlined.

4.       Controlling the flow of ePHI data via mobile devices. While there is not a requirement within HIPAA that addresses mobile devices, iPads, iPhones, and Androids frequently hold ePHI data. Organizations need to implement corporate BYOD policies and have controls in place including passwords and remote capabilities to protect this data.

5.       Encryption. There seems to be a lot of confusion around encryption as many people translate this addressable specification as being optional. Some organizations see “encryption” and after evaluating what it entails, decide that it costs too much money or translates as optional. If there is a security breach, HHS officials will first ask if the data was encrypted. If the answer is no, the investigation can easily lead to fines, penalties and negative publicity. We recommend that our partners and clients conduct a thorough risk assessment to document all controls that are in place surrounding data that may be at risk. This documentation serves as a road map for developing action items based on priority or level of risk. When a breach occurs, organizations need to demonstrate their due diligence to show that all risks were acknowledged. We cannot stress enough how thorough this documentation should be. We have seen documentation ranging from 20 to 100+ pages; anything less than that will be insufficient.

We continue to see these issues every day. The bottom line is that organizations should thoroughly read through the new rules and engage with third-party vendors to make sure that they are covered and can avoid paying penalties. Those interested in exploring a third-party solution should ensure that their prospective vendor provides a suite of proven network security and compliance technologies, compliance data center policies and procedures, and round-the-clock analyst coverage to monitor and manage networks.

James D. Brown is responsible for overall product and services strategies, and architecture and implementation of StillSecure’s product suite. James has tremendous experience in both public and private cloud security and helped create the industry’s first comprehensive Cloud Security Services Platform that supports physical, virtual and multi-tenant environments. Brown has more than 20 years of experience in the network security, IT, telecommunications, and human resources industries.

Andrew Hicks, director, healthcare practice lead, Coalfire, has over 10 years of experience in IT governance including responsibilities specific to the IT security, risk management, audit, business continuity, disaster recovery and regulatory compliance spaces. His experience and understanding of business processes and technology has allowed him to excel in the areas of policy development, internal control design and testing, project management, system development reviews, and risk mitigation.

IT Outsourcing Is Not a Fad: Why Investment in Information Technology is the Means to an End

Dan Tully

Guest post by Dan Tully, executive vice president, Conduit System.

IT is not a sink hole. IT is not a cost center. IT is not a fad. This is especially true when it comes to healthcare. In fact, carefully calculated IT investments can produce a range of strategic and operational benefits for healthcare/hospital administrators, practice managers and more, which include enabling advanced technology and accelerating innovation.

How you ask?

IT Investment Affects the Bottom Line

Strategic investment into IT operations is a foundation for building revenue. To understand how, one must look no further than your average mid-sized healthcare operation and how process can be improved:

Fluid output from nurses stations; simplified statistic, biometric and medication reporting; linking of disparate department systems

Streamlining the hiring processes; simplified expense report and vacation request procedures; compliance with complicated regulatory measures

Reliable monitoring of capital investments improved data and measurement capabilities; compliance with healthcare-related finance ruling

The up-front and hidden costs of downtime caused by unforeseen disaster can also be mitigated through proper investment in IT outsourcing. Organizations and practices operating on disk-to-disk backup are at a significant disadvantage compared to those employing more modern technology.

Implementing cloud-based solutions that combine local caches of files with full-time cloud backup boast advanced performance levels and functionality. It also allows for unlimited data growth, little to no network performance lags and true disaster recovery as the data can be pulled from the cloud and reconstituted anytime, anywhere.

Big Picture, Big Results

Average IT staffs are tasked with keeping the proverbial ship afloat on a daily basis. With an investment in managed IT services, on-site and high-level staff can focus on the above-mentioned projects that ultimately fuel growth and provide return on investment. If your operation needs to embark on a replacement/upgrade project that requires the complete attention of your IT staff, contract engineers and support teams can handle the daily minutiae. An added bonus? Relieving the burden can promote happiness, motivation and creativity among full-time employees.

Investment in IT Allows You to Focus on What You Do Best

Let’s face it – IT is a necessity.  It’s essential no matter what part of the healthcare industry you belong. Overall investment in IT operations and support allows top officials to focus on what they do best: manage operations and improve patient outcomes. There’s certainly nothing trendy about that.

Healthcare and Practice Leaders Need Operational Efficiency to Address Full Implementation of Affordable Care Act

Increasing operational efficiency will be critical for healthcare providers this year in anticipation of the full implementation of the Affordable Care Act in 2014.

The law will mean thousands of previously uninsured patients will now have healthcare coverage, which is expected to sharp increases in visits to physician offices. This influx of patients will mean that physician offices will have to operate as efficiently as possible to control costs while handling the new demand.

Physicians and staff won’t have the time to search through paper files, which are inefficient in the best of times and will become only more so as the number of files grows along with the number of patients.

If a patient needs his or her records for a lab, hospital or another medical facility, referral to another physician or for some other reason, he wants to know to be able to have the records quickly and know that they are stored safely.

The growing files also mean storage issues for paper documents. Physical space isn’t an issue for electronic storage.

“Productivity has increased 100-fold,” since installing Digitech’s ImageSilo ECM says John Herndon, manager of IT, patient accounts at the University of Illinois at Chicago Medical Center. “We’re able to access information in almost real time. The reporting structure is excellent. I like the audit trail – especially in healthcare, that’s extremely important. The ability to follow the document allows us to stay in control.”

The inefficiencies of paper documents from a business perspective are essential from a business perspective of running a physician or medical practice. ECM is critical from a compliance standard as well for medical practitioners who want to take advantage of the government incentives offered for converting to electronic health records.

Medicare, Medicaid Considerations

To continue to participate in Medicare and Medicaid healthcare record (EHR) incentive programs, eligible medical professionals as well as eligible hospitals and critical access hospitals must meet the government’s “meaningful use” requirements.

Eligible professionals can receive up to $44,000 through the Medicare EHR Incentive Program and up to $63,750 through the Medicaid EHR Incentive Program “to implement, upgrade or demonstrate meaningful use of certified EHR technology,” according to the federal government’s Centers for Medicare and Medicaid Services.

Implementation of an ECM system enables a medical provider to achieve compliance for Stage 2 of meaningful use requirements and to be prepared for implementing Stage 3.

However, simply moving to electronic files is only part of the solution. Just as a physician and his or her staff don’t have them time to be shuffling through paper records, most also don’t have the technical expertise or the desire to install and maintain hardware and software.

Go to the Cloud

So the answer is an ECM system that is deployed via the cloud, using Software-as-a-Service. Such a deployment means that the medical office doesn’t need to install and additional hardware, and any software patches or other updates are handled by the supplier. This means that there are no capital expenditures (e.g., computer, server or additional storage capacity) to get started. The physician or medical office pays for the on-demand service on an as-you-go basis, meaning the user can deduct the cost as an operating expense as incurred for tax purposes, rather than capitalizing and depreciating expenses over several years.

Another important factor is that since a cloud-based solution isn’t housed on site, there’s no fear of losing data in the event of a natural disaster or a power outage. Make sure that the provider has redundant, geographically distributed data sites. This ensures that in the case of a regional disaster, like Hurricane Sandy that the records are still intact and easily retrievable through an Internet browser. Similarly, the provider should have sufficient capacity and systems to provide a 99.9 percent up time guarantee.

Other Considerations

In evaluating ECM solutions, it is also critical that a healthcare provider scrutinize some other elements of the offering. It should work seamlessly and integrate easily with other commonly used applications, like Microsoft Office. Similarly, it should enable the user to view hundreds of different types of files.

The solution should include encryption capabilities and multiple layers of security to ensure patient privacy and data integrity. Extensive audit trails, security controls and easy implementation of records retention of records retention and destruction capabilities are necessary to meet government and industry regulations.

Extensive, full-text search capabilities that support synonym, fuzzy logic, natural language and other functionality are critical to making the retrieval of records truly fast and efficient.


ECM is essential for medical providers to handle the flood of new patients expected from full implementation of the Affordable Care Act in 2014. By installing such a system in 2013, providers have the time to learn how to best benefit from the efficiencies of an electronic system before the onslaught of new patients comes in 2014. A cloud-based solution relieves the technical and capital expense complications and enables a medical provider to start using ECM immediately.

Anoto Digital Pens Reduce Paperwork and Create Efficiencies for St. Louis’ Metro Imaging and Radiology

An Anoto digital pen

One thing recently became increasingly important to Metro Imaging and Radiology, an independent radiology practice with five locations throughout St. Louis, Missouri: meeting meaningful use.

In 2012, Metro Imaging added an electronic health record after having used NextGen’s billing system for several years. Along with the EHR, the chain added the Anoto digital pen.

With more than 100,000 annual patient visits, the practice sought a viable solution to help streamline the intake process and reduce some practice inefficiencies, like scanning and filing paper patient forms.

“We knew it was going to be difficult to reach meaningful use, and we needed something that was going to be very efficient,” said Christine Keefe, chief financial officer at Metro Imaging. “We couldn’t have anything that slows us down too much.”

The Anoto pens seemed like the best solution. The pen stays charged for 10 hours and can hold 200 pages filled out top to bottom.

The practice was sold on the pen because of its ability to capture the information being entered onto paper forms, especially the patient intake forms. According to Keefe, the pens were only considered based on a recommendation from it NextGen representative, but since implementing it, they have completely done away with any manual scanning of patient forms.

On top of that, the clinic has completely gotten rid of paper (except for the patient in take forms used at the front of house) and it no longer keeps papers files.

The first week following implementation was the most difficult, she said, but since everything has settled back to normal and there have been no hiccups. The EHR was probably a more significant change than adding the pens. After all, the patients rarely notice there’s something different about the slightly larger ball points.

The pen captures the data entered into the fields of the paper forms by the patient through a small camera on the pen. It snaps 70 images per second as a patient enters the required data, storing until the pen is docked on a charging station, at which point it downloads all of the information contained into the practice’s EHR through a USB port.

“A great thing about the pen is that you can dock it, ignore it and by the time you’re done doing other things, everything is downloaded and you can use it again,” Keefe said.

An immediate benefit, other than reducing the amount of manual input required of clinical staff is that the forms that are used by the practice are customized and capture data in a structured manner.

Staff that previously focused on transcription, scanning and filing now have had their resources reallocated to claims and billing administration and patient relations. For example, staff has more time to follow up with patients and address any billing and claims issues that come up.

The practice currently uses 25 pens; five per practice. Each costs $385 and there is a $1,000 license fee. Additionally, the practice pays a regular maintenance fee. The pens can be used for hours without re-charging and can capture multiple people’s records without needing to be docked.

The pens are also Bluetooth-enabled and can transmit information wirelessly back to a healthcare setting, making them appropriate for home health workers and others that work outside the four walls of the practice.

They are the ideal technology too, since today more than 80 percent of physicians still rely on traditional pen and paper to capture patient information. Finally, digital pens offers a simple, alternative way to capture data and transfer it into an EHR, especially for physicians concerned about a computer or tablet PC getting in the way of their patient’s experience.

“We like the flexibility the pens have created for us,” said Keefe, “anything to cut down on work at the front desk.”

Metro doesn’t use them in the clinical setting yet, Keefe said, but there has been some interest in bringing them into the exam room. If things continue to go as smoothly as they have, that decision would be like hand meeting glove.

HIT Thought Leader Highlight: Dr. Juergen Fritsch, M*Modal

HIT Thought Leader Highlight: Dr. Jürgen Fritsch, M*Modal
Dr. Juergen Fritsch

Dr. Juergen Fritsch, co-founder and chief scientist of M*Modal Inc., discusses the company, how it is used in the care setting, the market trends and where it is going.

What is M*Modal?

M*Modal is a leading healthcare technology provider of advanced clinical documentation solutions, enabling hospitals and physicians to enrich the content of patient electronic health records (EHR) for improved healthcare and comprehensive billing integrity.

As the largest clinical transcription service provider in the U.S., with a global network of medical editors, M*Modal also provides advanced cloud-based speech understanding technology and data analytics that enable physicians and clinicians to capture and include the context of their patient narratives in a single step into electronic health records, further enhancing their productivity and the cost-saving efficiency and quality of patient care at the point of care.

Why is it disruptive and important to the community?

M*Modal’s technologies are disruptive because they empower physicians with the ability to make informed decisions at the point of care, one of the most critical factors in reducing healthcare costs and improving patient outcomes.

M*Modal’s solutions are important because they are designed for healthcare by healthcare experts. As such, the solutions understand multiple dialects, accents and cadences, pull from a repository of more than 200,000 physician voices in the cloud and are only medically focused.

What is its potential?

M*Modal has the potential to transform the way the entire healthcare industry leverages advanced clinical documentation technologies and services, ensuring that all stakeholders across the healthcare spectrum, from the patient to the coders on the back end, benefit from the advanced clinical documentation workflows available in today’s and tomorrow’s healthcare settings.

Who’s using it? Why? What is the ROI?

M*Modal provides hospitals and physicians with the healthcare industry’s most advanced clinical documentation solutions. These stakeholders use our solutions to enhance how healthcare professionals capture and manage clinical documentation for improved quality, cost savings, reimbursements, compliance and patient care. Examples include enriching electronic health records for patient care quality and comprehensive billing integrity.

In terms of ROI, our technologies can identify documentation deficiencies and address them via closed-loop workflows, which improve the quality of the clinical patient note and increase the efficiency of documentation processes. Our advanced clinical documentation tools drive adoption of electronic health record systems, saving providers time & expenses.

How did it start? What is it doing to advance?

M*Modal grew out of research performed at Carnegie Mellon University in the late ’90s. The company’s founders developed a radically new technology for understanding conversational human interactions on the telephone. The technology proved to be an even better match for dictated clinical notes as created by healthcare professionals throughout the United States and elsewhere. Today, M*Modal processes millions of hours of verbal healthcare documentation for more than 200,000 physicians each year.

To advance our impact we are also focused on forging partnerships. We just announced several new partnerships with major industry players such as 3M, Optum and Intermountain Healthcare and we have established partnerships with top providers of electronic health record systems, including Epic, Allscripts and Merge. We are constantly working with partners to develop and address industry challenges as they arise.

How is it used in the care setting?

Our advanced speech and natural language understanding technology is used in a wide variety of clinical and administrative healthcare workflows, for example enabling physicians to interact with their clinical systems via voice anytime, anywhere, using their preferred device. This enables instant access to critical information for patient care, allowing providers to spend more time with the stakeholder that matters most – patients.

Additionally, hospitals and practices are using our solutions to analyze vast amounts of unstructured clinical documentation, identify documentation deficiencies and close care gaps. Traditional electronic health record systems do not provide this level of insight and so our solutions fill a critical need that becomes more and more important as we progress from a fee-for-service to a value-based reimbursement and accountable care model.

Tell me something about transcription tools that nobody seems to know.

Our advanced speech and natural language understanding technology has made the process of turning dictated physician notes into structured clinical documents roughly twice as fast as a traditional transcription workflow. On top of that, transcription services are slowly but steadily evolving to also include data validation services. That trend will continue as hospitals seek to lower their cost and free-up physicians to spend more of their time caring for patients rather than dealing with technology.

Should patients care about speech recognition?

Many patients are already familiar with speech recognition technology through their use of off-the-shelf consumer products that some of them are using at home. In my view, it is less the speech recognition technology that they should care about, but the significant advances that we have made in the past few years around computers understanding natural human language. That technology together with the vast and ever growing amounts of “big data” that are being created in healthcare is allowing physicians and other care providers unprecedented insights into healthcare outcomes and ultimately will be a key driver of improved healthcare.

What do you see as the most important health IT trends currently affecting the market? Why?

The most important health IT trends that’s affecting the market today is the move toward a more outcome- and prevention-based reimbursement models. Rather than paying for services provided, the market will shift rapidly toward paying fixed budgets to manage different types of diseases, particularly the costly chronic ones such as heart disease, diabetes, etc.  Healthcare information technology is adjusting to this and is developing new solutions that are focused on personalized medicine to prevent diseases rather than just supporting the treatment of them once they occur.

Where are we going as a market?

As I noted earlier with the new outcomes-based focus, I would say that we are rapidly moving toward a more sustainable healthcare cost model, with a much improved focus on disease prevention and personalized treatment plans.

What is the number one complaint you hear regularly from caregivers?

By far the number one complaint is that outdated, inefficient technology is bogging them down, requiring them to spend more time in front of the computer, leaving less time to take care of their patients. In part, this stems from the fact that many hospitals have bought into decades-old electronic health records systems with inefficient workflows that slow down physicians, particularly in today’s world of increasing data capture requirements. But there is also a generation of newer information technology on the market now — such as speech and natural language understanding technology — that actually help improve physician productivity while also providing better insights into their patient population. The bottom line is: physicians and hospitals need to closely follow the healthcare IT market to identify the tools that can drive their efficiencies and improve their outcomes.

What are caregivers most excited about?

Many care givers are excited about mobile devices — mostly about tablets like the iPad Mini. It allows them to do many of their tasks more efficiently while on the go, even sharing a lot of information effectively with their patients. Virtual assistant technology is also of great interest to many physicians, particularly in combination with mobile devices. You will see many new mobile apps hitting the market in the next few years that will allow care givers to verbally ask complex questions about their patients’ health record and get answers within seconds.

What piece of regulation would you like to see abandoned? Adopted?

I’d like to focus on pieces of regulation that I would like to see adopted more readily or more expediently. The key ones for me are interoperability standards and the respective regulation found in the ARRA HITECH Meaningful Use program. Almost every other industry has embraced interoperability. You can get cash at virtually any ATM in the world — but you can’t transfer your electronic patient health record from one EHR provider to the next (at least, not without major effort). We need to change that, and we need to do it quickly. Regulation can help with that.

Dr. Juergen Fritsch is co-founder and chief scientist of M*Modal Inc. where he leads research efforts in the fields of speech and natural language understanding for clinical documentation. His work focuses on building and improving a medical language understanding system that is based on standardized medical ontologies and vocabularies while employing statistical algorithms to learn from vast amounts of linguistic data. He has published more than 20 peer-reviewed papers and has been granted five patents on original speech recognition and natural language processing research. Juergen received his Ph.D. (1999) and M.Sc. (1996) degrees in computer science from the University of Karlsruhe, Germany.

In Light of $12 Billion in Federal Incentives,’s Top Frequently Asked Questions

In light of recent reports that nearly 220,000 hospitals, office-based physicians and other eligible professionals have received more than $12 billion in federal incentive payments, I thought I’d highlight the top questions as featured on’s FAQ section.

But, a little perspective first. According to Modern Healthcare, to this point, 3,757 hospitals, or 75 percent of the 5,011 U.S. hospitals that are eligible to receive federal funds under the program, have received an EHR incentive payment.

Also, “215,500 physicians and other EPs, or 41 percent, of the 527,200 total physicians and other professionals deemed eligible to participate, have been paid. Some 85 percent of hospitals and 70 percent of physicians/EPs are registered under the programs, the CMS reports.”

So, back to the original story:’s Frequently Asked Questions and the answers. If you’re not aware of the resource, it serves a broad base audience with a smattering of questions and responses. For example, there a variety of topics including billing, e-health, data navigation, EHR incentive programs, well, you get the point.

Here’s a short list of some questions and their answers:

How and when will incentive payments for the Medicare Electronic Health Record (EHR) Incentive Programs be made? For eligible professionals (EPs), incentive payments for the Medicare EHR Incentive Program will be made approximately eight to 12 weeks after an EP successfully attests that they have demonstrated meaningful use of certified EHR technology. However, EPs will not receive incentive payments within that timeframe if they have not yet met the threshold for allowed charges for covered professional services furnished by the EP during the year. Payments will be held until the EP meets the threshold in allowed charges for the calendar year ($24,000 in the EP’s first year) in order to maximize the amount of the EHR incentive payment they receive. Medicare EHR incentive payments are based on 75 percent of the estimated allowed charges for covered professional services furnished by the EP during the entire calendar year. If the EP has not met the threshold in allowed charges by the end of calendar year, CMS expects to issue an incentive payment for the EP in March of the following year (allowing two months after the end of the calendar year for all pending claims to be processed).

Does CMS have a website to find out more information about the CMS Section 508 Program? Yes, CMS has a website section.  It can be found at

What is CMS? The Centers for Medicare & Medicaid Services (CMS) is a branch of the U.S. Department of Health and Human Services. CMS is the federal agency which administers Medicare, Medicaid, and the Children’s Health Insurance Program. Provides information for health professionals, regional governments, and consumers.  Additional information regarding CMS and it’s programs is available at

When eligible professionals work at more than one clinical site of practice, are they required to use data from all sites of practice to support their demonstration of meaningful use and the minimum patient volume thresholds for the Medicaid EHR Incentive Program? CMS considers these two separate, but related issues. Meaningful use: Any eligible professional demonstrating meaningful use must have at least 50% of their of their patient encounters during the EHR reporting period at a practice/location or practices/locations equipped with certified EHR technology capable of meeting all of the meaningful use objectives. Therefore, States should collect information on meaningful users’ practice locations in order to validate this requirement in an audit.

How do physicians join or leave a group? If both the physician and the group are already enrolled with the same carrier, the physician and the group together are required to complete a CMS 855R showing the date the physician joined the group and reassigned benefits to the group. If a physician leaves a group, the physician or the group should complete the CMS 855R, showing the date the physician left the group. When leaving the group, the CMS 855R does not need to be signed by both the physician and the group. If either the physician or the group have not enrolled with the carrier, they must first complete the appropriate CMS 855 for either an individual (CMS 855I) or group (CMS 855B) before the reassignment can be effective.

For the list of top questions CMS addresses, visit the following link:

If nothing else, this makes for good reading. In light of all the changes and ever-present developments, I felt it worth sharing.

Will Regulation of Mobile Health Devices and Apps By the FDA Be the Industry’s Sin Tax?

Your smartphone a medical device? There’s a possibility that this could happen as Washington and its players continue to evaluate whether in the Food and Drug Administration should regulate mobile apps technologies, including health-related apps.

Based on the interpretation of the current administration’s perspective of mobile health innovation and regulation and how those innovations benefit patients will likely determine whether regulation, and ultimately, taxes are assessed on them.

Mobile health apps can range from an iPhone app that monitors diet to mobile or wireless technologies used in hospitals and home-care settings.

Obviously, developers and those producing the apps want more clarification on the issue. As expected from a federal agency, the FDA has issued draft guidance in 2011 according to Modern Healthcare about how it plans to oversee mhealth apps, but nothing final has been released. So, what we’ve seen may not ultimately be what we get.

Some people believe health apps will help solve the overwhelming cost crisis in healthcare; thus, shackling them with additional oversight, taxes and regulation will stifle a burgeoning industry. As such, according to Modern Healthcare, there needs to be “’predictable, transparent and risk-based regulation,’ the value of interoperability, and reimbursement policy that aligns stakeholders.”

I couldn’t have said it better myself, and I agree with the fear that some lawmakers have about a concern that FDA regulation of smartphones, tablets and apps could mean those technologies are subject to the medical device excise tax, a 2.3 percent tax on the sales of certain devices that went into effect in January.

The tax is part of the Patient Protection and Affordable Care Act and is considered the device industry’s contribution to financing healthcare reform.

In a March 1 letter to FDA Commissioner Dr. Margaret Hamburg (PDF), the House committee leading testimony asked the FDA to clarify whether the smartphones and mobile health apps will be subject to the tax. No response as yet. Not surprising. Additionally, leadership also requested that the agency provide information about when it plans to issue final guidance on how it plans to oversee mobile medical apps.

“Most Americans have no idea that their smartphone, tablet or the mobile apps that have become part of their daily lives could be subject to added red tape or a new tax under Obamacare,” Energy and Commerce Committee Chairman Fred Upton (R-Mich.) said in a news release.

According to the Washington Post, “In 2012, Congress gave the FDA the green light to define which medical apps would require its attention. The agency has asked for comment on a proposal that would give it regulation authority over accessories to existing medical devices, such as apps that show MRI scans, as well as apps and accessories that transform mobile devices into regulated medical devices, such as attachments or apps that turn smartphones into heart monitors.”

For those with an interest at stake here, they should feel some level of concern, no matter the side of the isle they happen to sit. Further regulation, and definitely taxation (especially at the app user level), will destroy the momentum gained by these tools to the market since they’ve been developed.

In the very least, the seemingly unending and elusive patient engagement game that plays on may find itself put on pause as this has the potential to once again remove personal control of tools designed to help manage and improve one’s health and to regulate it.

In many ways this seems like a sin tax. High taxes are used to get people to quit bad behavior, like smoking. When the prices gets too high, they (ideally) quit.

HIPAA Risks Associated with Using Tools Like Skype During Patient Communication

Skype and unbridled communication between caregivers and their patients has opened a great many opportunities for care to be offered the world round, from a variety of locations within our own communities to remote and unconventional places in other areas of the world.

In a nutshell, Dr. DeShan spends several months in Russia each year leading an international medical mission where he serves some of Moscow’s most needy, as well as delivers care to some of the world’s remote people through journeys into the wilderness.

When he’s in Moscow serving patients, she’s able to stay connected to his practice in Midland Texas, where he’s a partner at a thriving OBGYN. Aside from relinquishing a few of his daily duties, such as delivering, he’s able to maintain a full patient load and he does that in part using the web and tools like Skype to maintain contact with them and with his practice.

Personally, I believe the work DeShan is doing is fascinating. He’s using his talent and skill to follow his passion and his calling in life. His practice and his patients are in support of his work and in no way does he keep it from them. Those patients that were not comfortable with interacting with him part time through the web were assigned to other practitioners.

However, I’ve always wondered if Skype is a tool that can be trusted for such work. Despite his good deeds, I always wondered he’s in HIPAA compliance.

According to a recent article in Medical Office Today, I’m not the only one. According to the article, “Notwithstanding the fact that Skype is ubiquitous, its use may be inappropriate for healthcare providers as web-based platforms raise a number of significant HIPAA privacy and security issues:

Also, according to the piece, HIPAA and its resulting regulations pertaining to privacy and security require covered entities such as healthcare providers to protect the confidentiality of protected health information and guard against unauthorized access, use, and disclosure of such information.

Among other things, the HIPAA rules require:

“The use of web-based platforms, especially those that are proprietary, makes it difficult for healthcare entities to meet many of their HIPAA obligations,” the article states. “As a consequence, telehealth providers carry a higher risk of potentially violating HIPAA rules when they use services such as Skype.

According to the Health Information and Trust Alliance, the organization recommends against the use of Skype and similar platforms for communications involving health information, concluding that web-based platforms are not secure, and are an inappropriate way by which to communicate with patients, especially when the communication involves health information. Their view was confirmed late last year when a security flaw was discovered in Skype that put users’ personal information at risk of disclosure.

“All of this does not mean a healthcare professional should not use Skype to communicate to patients, only that they be aware of the increased risk of violating HIPAA and think long and hard prior to using such technology.”

However, should a provider insist on using Skype, there are some steps they should consider to better protect themselves from potential HIPAA liability (all good tips, according to the magazine):

Only HIPAA-compliant technologies can truly protect a physician and a patient. These steps may help. In the long run, though, as I’m sure Dr. DeShan would agree, don’t let the cost of the work keep you from doing it.

Implementing an Electronic Health Record Does Not Ensure Practice Productivity or Profitability

A new report suggests that the average physician lost just as much as would have been gained had he or she received the full meaningful use incentive payment for the last five years — $44,000 – by implementing an electronic health record, which basically makes the whole thing null and void.

There’s a caveat, though. The practice that has implemented and is using the EHR, needs to make a few changes to the way the practice runs or else the saving is lost. Somewhat of a no brainer, according to study that’s published in Health Affairs, only 27 percent of practices achieved a positive five-year return on investment by implementing the electronic systems.

The trouble, according to the survey, is that practices “failed to make operational changes to realize the benefits of EHRs such as doing away with paper records after implementation of the electronic systems, adoption, as well as dictation, billing services and positions or staff members who were performing services no longer required after EHR adoption.

A reduction in the required workforce at the practice after the implementation of an EHR is a common problem. I’ve spoken with several practice leaders who cited it as such, and in many cases, staff whose positions were eliminated because of the software have been re-assigned to other areas. There are only a few practices in which I’ve spoken where employees were laid off because of the systems. I expect this number to grow as more systems come online.

According to MedPage Today, which published the results of the study, the study sought “pre- and post-adoption financial cost/benefit data from practices such as total revenue, total operating costs and total labor costs. Researchers also asked for information on areas that were impacted by EHRs, such as the cost of paper medical records, dictation services, and billing services.”

Their results of the study showed that the average physician lost $43,743 over five years. Primary care practices fared better than specialists. Practices that saw a positive return on EHR investment increased revenue by more than $114,000 per physician over five years, results showed. In comparison, practices with a negative return on EHR investment saw revenue increase by an average of only $9,200 per physician in five years.

“Even when adding federal incentives to use EHRs, the majority of doctors would have lost money,” MedPage Today reports.

Other results from the study include:

This is a bit surprising: Practices with a practice management system prior to EHR implementation in place to help with billing functions benefited less on average.

Seems like some of the unexpected consequences of EHR use are finally working their way to the top and a bit of the actuality of the situation is coming out; just because a system is implemented, doesn’t mean everything is going to be great. “Wide usage of EHRs was supposed to help doctors increase revenue through improved billing and efficiency gains that would allow them to see more patients per day. However, doctors have complained that EHRs are cumbersome and cause physicians to spend more time documenting patient visits,” the magazine states.

HIT Thought Leader Highlight: Andrew Olowu, Axxess Technologies