I’m a cynic and I’m snarky. They are character traits earned from my days as a reporter at the newspaper. Constantly being pitched the greatest new thing meant to change the world when rarely these things lived up to their promise made me this way.
The latest offering from the Office of the National Coordinator for Health Information Technology (ONC), the site is being billed as a place for public input to update the Federal Health IT Strategic Plan.
According to the site, the plan outlines goals and strategies for the nationwide shift to electronic health records and information exchange, and for creation and spread of new health information technologies. “On this site, you can learn about these issues and be part of the public discussion that will shape the new plan. Whether you’re a patient, consumer, provider, insurer or IT developer, you should have a voice in this process.”
The rest of the site focuses on a variety of topics in discussion board fashion (think late ‘90s comment-based webpage) where consumers, the general public and anyone else with an opinion of any kind can respond to the seeded ONC topic.
Some of the topics include:
Current Efforts: Empowering consumer action
Current Efforts: Shifting attitudes
Supporting “shared decision-making” through health IT
Supporting “personalized healthcare”
The list goes on, with a few sparse comments to support the topics addressed, and some questions and responses.
The rest of the site features some meager announcements and a bit more info about PlanningRoom.org.
I’ve been a supporter of many of HealthIt.gov’s work and have featured it multiple times on this site for the availability of their information and the organization’s outreach to the public and the HIT community, but PlanningRoom.org is a limp attempt at a public information movement.
I’ve got to hand it to ONC for trying to engage the public in an information and educational campaign, but this effort wreaks of propaganda. For the most part, the comments are thin and generic and the “conversation” here seems someone staged.
This sure seems to resemble the acts of a start up site looking to generate page views and buzz. Certainly, there are people interacting with the site, but it comes off as fluff; a bit too polished if you will.
Call it the cynic in me, but at present, this effort just isn’t enough to make me think it’s going to drive any real change. Perhaps as it grows and evolves it will be worth a lot more, but in its current, state, not so much.
Guest post by James D. Brown, CTO, StillSecure and Andrew Hicks, Director, Healthcare Practice Lead, Coalfire
In January, the U.S. Department of Health and Human Services (HHS) announced updates to the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security rules. These new rules will took effect on March 26 and business associates have until September 23, 2013, to reach compliance. Under HIPAA, a business associate is defined as a person or entity that performs certain functions or activities that involve the use or disclosure of electronic protected health information (ePHI) on behalf of, or provides services to, a covered entity. So what exactly do these new rules mean for our partners and clients?
First, it is important to note that the new rules are really just formalizing and strengthening many of the changes that were announced in the 2009 Health Information Technology for Economic and Clinical Health Act (HITECH Act), which clearly defines when HHS needs to be notified of a breach, as well as increases the penalties applied around non-compliance.
James D. Brown
Also, the biggest change that should be noted is that the regulations between business associates and subcontractors (for example a health information organization and its cloud service provider), are now assumed to be held to a business associate agreement (BAA). In the past, subcontractors could choose to opt out of signing any agreement, which essentially limited liability should HHS come knocking. Under new regulations, it is clear that any healthcare provider that comes in contact with actual ePHI must sign a formal business associate agreement, making each and every subcontractor liable during a breach.
Stated differently, this means that anyone who deals with ePHI should carefully read the new rules and understand how they will be directly liable for compliance. We will start to see a shake out in the business associate companies – healthcare facilities should closely examine whether a business associate agreement is signed just to win business, or is signed by a company that actually will be accountable for HIPAA requirements and take them seriously throughout the course of the relationship.
It is also important to note that under the new regulations, it is crystal clear that business associates are directly liable for compliance and can be fined, along with the actual health care provider as a covered entity.
Here are the top five issues that organizations need to be aware of:
1. Not knowing that they need to be compliant. Many people do not realize that shredding companies and office cleaning crews that may see patient data without realizing it are now liable. Anyone that has access to ePHI, regardless of their position and how far removed they are from the covered entity, is in full scope now.
2. Lack of solid inventory of where data lives. Data is constantly being transmitted back and forth via applications, web servers and file servers. However, many organizations lack a comprehensive inventory of where all of this data lives. This makes it difficult to accurately assess the risk of data storage. Participants must be able to control physical access to patient information and proactively protect against inappropriate access to the data at every exchange point. This is impossible to achieve without a solid inventory.
3. Risk analysis and data classification. Under HIPAA, there is a clear requirement that companies need to complete a thorough risk assessment of the storage, processing and transition of ePHI data. This risk to data needs to be clearly defined and any controls that are in place need to be outlined.
4. Controlling the flow of ePHI data via mobile devices. While there is not a requirement within HIPAA that addresses mobile devices, iPads, iPhones, and Androids frequently hold ePHI data. Organizations need to implement corporate BYOD policies and have controls in place including passwords and remote capabilities to protect this data.
5. Encryption. There seems to be a lot of confusion around encryption as many people translate this addressable specification as being optional. Some organizations see “encryption” and after evaluating what it entails, decide that it costs too much money or translates as optional. If there is a security breach, HHS officials will first ask if the data was encrypted. If the answer is no, the investigation can easily lead to fines, penalties and negative publicity. We recommend that our partners and clients conduct a thorough risk assessment to document all controls that are in place surrounding data that may be at risk. This documentation serves as a road map for developing action items based on priority or level of risk. When a breach occurs, organizations need to demonstrate their due diligence to show that all risks were acknowledged. We cannot stress enough how thorough this documentation should be. We have seen documentation ranging from 20 to 100+ pages; anything less than that will be insufficient.
We continue to see these issues every day. The bottom line is that organizations should thoroughly read through the new rules and engage with third-party vendors to make sure that they are covered and can avoid paying penalties. Those interested in exploring a third-party solution should ensure that their prospective vendor provides a suite of proven network security and compliance technologies, compliance data center policies and procedures, and round-the-clock analyst coverage to monitor and manage networks.
James D. Brown is responsible for overall product and services strategies, and architecture and implementation of StillSecure’s product suite. James has tremendous experience in both public and private cloud security and helped create the industry’s first comprehensive Cloud Security Services Platform that supports physical, virtual and multi-tenant environments. Brown has more than 20 years of experience in the network security, IT, telecommunications, and human resources industries.
Andrew Hicks, director, healthcare practice lead, Coalfire, has over 10 years of experience in IT governance including responsibilities specific to the IT security, risk management, audit, business continuity, disaster recovery and regulatory compliance spaces. His experience and understanding of business processes and technology has allowed him to excel in the areas of policy development, internal control design and testing, project management, system development reviews, and risk mitigation.
In light of recent reports that nearly 220,000 hospitals, office-based physicians and other eligible professionals have received more than $12 billion in federal incentive payments, I thought I’d highlight the top questions as featured on CMS.gov’s FAQ section.
But, a little perspective first. According to Modern Healthcare, to this point, 3,757 hospitals, or 75 percent of the 5,011 U.S. hospitals that are eligible to receive federal funds under the program, have received an EHR incentive payment.
Also, “215,500 physicians and other EPs, or 41 percent, of the 527,200 total physicians and other professionals deemed eligible to participate, have been paid. Some 85 percent of hospitals and 70 percent of physicians/EPs are registered under the programs, the CMS reports.”
So, back to the original story: CMS.gov’s Frequently Asked Questions and the answers. If you’re not aware of the resource, it serves a broad base audience with a smattering of questions and responses. For example, there a variety of topics including billing, e-health, data navigation, EHR incentive programs, well, you get the point.
Here’s a short list of some questions and their answers:
How and when will incentive payments for the Medicare Electronic Health Record (EHR) Incentive Programs be made? For eligible professionals (EPs), incentive payments for the Medicare EHR Incentive Program will be made approximately eight to 12 weeks after an EP successfully attests that they have demonstrated meaningful use of certified EHR technology. However, EPs will not receive incentive payments within that timeframe if they have not yet met the threshold for allowed charges for covered professional services furnished by the EP during the year. Payments will be held until the EP meets the threshold in allowed charges for the calendar year ($24,000 in the EP’s first year) in order to maximize the amount of the EHR incentive payment they receive. Medicare EHR incentive payments are based on 75 percent of the estimated allowed charges for covered professional services furnished by the EP during the entire calendar year. If the EP has not met the threshold in allowed charges by the end of calendar year, CMS expects to issue an incentive payment for the EP in March of the following year (allowing two months after the end of the calendar year for all pending claims to be processed).
What is CMS? The Centers for Medicare & Medicaid Services (CMS) is a branch of the U.S. Department of Health and Human Services. CMS is the federal agency which administers Medicare, Medicaid, and the Children’s Health Insurance Program. Provides information for health professionals, regional governments, and consumers. Additional information regarding CMS and it’s programs is available at http://www.cms.hhs.gov/.
When eligible professionals work at more than one clinical site of practice, are they required to use data from all sites of practice to support their demonstration of meaningful use and the minimum patient volume thresholds for the Medicaid EHR Incentive Program? CMS considers these two separate, but related issues. Meaningful use: Any eligible professional demonstrating meaningful use must have at least 50% of their of their patient encounters during the EHR reporting period at a practice/location or practices/locations equipped with certified EHR technology capable of meeting all of the meaningful use objectives. Therefore, States should collect information on meaningful users’ practice locations in order to validate this requirement in an audit.
How do physicians join or leave a group? If both the physician and the group are already enrolled with the same carrier, the physician and the group together are required to complete a CMS 855R showing the date the physician joined the group and reassigned benefits to the group. If a physician leaves a group, the physician or the group should complete the CMS 855R, showing the date the physician left the group. When leaving the group, the CMS 855R does not need to be signed by both the physician and the group. If either the physician or the group have not enrolled with the carrier, they must first complete the appropriate CMS 855 for either an individual (CMS 855I) or group (CMS 855B) before the reassignment can be effective.
Your smartphone a medical device? There’s a possibility that this could happen as Washington and its players continue to evaluate whether in the Food and Drug Administration should regulate mobile apps technologies, including health-related apps.
Based on the interpretation of the current administration’s perspective of mobile health innovation and regulation and how those innovations benefit patients will likely determine whether regulation, and ultimately, taxes are assessed on them.
Mobile health apps can range from an iPhone app that monitors diet to mobile or wireless technologies used in hospitals and home-care settings.
Obviously, developers and those producing the apps want more clarification on the issue. As expected from a federal agency, the FDA has issued draft guidance in 2011 according to Modern Healthcare about how it plans to oversee mhealth apps, but nothing final has been released. So, what we’ve seen may not ultimately be what we get.
Some people believe health apps will help solve the overwhelming cost crisis in healthcare; thus, shackling them with additional oversight, taxes and regulation will stifle a burgeoning industry. As such, according to Modern Healthcare, there needs to be “’predictable, transparent and risk-based regulation,’ the value of interoperability, and reimbursement policy that aligns stakeholders.”
I couldn’t have said it better myself, and I agree with the fear that some lawmakers have about a concern that FDA regulation of smartphones, tablets and apps could mean those technologies are subject to the medical device excise tax, a 2.3 percent tax on the sales of certain devices that went into effect in January.
The tax is part of the Patient Protection and Affordable Care Act and is considered the device industry’s contribution to financing healthcare reform.
In a March 1 letter to FDA Commissioner Dr. Margaret Hamburg (PDF), the House committee leading testimony asked the FDA to clarify whether the smartphones and mobile health apps will be subject to the tax. No response as yet. Not surprising. Additionally, leadership also requested that the agency provide information about when it plans to issue final guidance on how it plans to oversee mobile medical apps.
“Most Americans have no idea that their smartphone, tablet or the mobile apps that have become part of their daily lives could be subject to added red tape or a new tax under Obamacare,” Energy and Commerce Committee Chairman Fred Upton (R-Mich.) said in a news release.
According to the Washington Post, “In 2012, Congress gave the FDA the green light to define which medical apps would require its attention. The agency has asked for comment on a proposal that would give it regulation authority over accessories to existing medical devices, such as apps that show MRI scans, as well as apps and accessories that transform mobile devices into regulated medical devices, such as attachments or apps that turn smartphones into heart monitors.”
For those with an interest at stake here, they should feel some level of concern, no matter the side of the isle they happen to sit. Further regulation, and definitely taxation (especially at the app user level), will destroy the momentum gained by these tools to the market since they’ve been developed.
In the very least, the seemingly unending and elusive patient engagement game that plays on may find itself put on pause as this has the potential to once again remove personal control of tools designed to help manage and improve one’s health and to regulate it.
In many ways this seems like a sin tax. High taxes are used to get people to quit bad behavior, like smoking. When the prices gets too high, they (ideally) quit.
On its face, the CommonWell Health Alliancee really seems to hit the mark. A collection of the top EHR vendors coming together, sharing a stage and shaking hands; smiling; snapping photos of smiling happy CEOs. All together for one cause, or so the story goes: healthcare data interoperability. According to the “organization’s” website, interoperability is the cornerstone of healthcare’s future.
“Interoperability helps improve quality, reduce costs, enable regulatory compliance and ensure better access to healthcare for millions of people,” and so on and so forth.
Finally, CommonWell’s call to action: moving the healthcare industry beyond just recognizing the importance of interoperability, but moving the industry forward. CommonWell is supposed to be the health IT superhero that moved this giant boulder up the hill and positions it so eloquently on the top.
For those of us who didn’t know this already, CommonWell sums it up: “It’s time for healthcare IT organizations to come together and commit to achieving interoperability for the common good,” and so on and so forth.
So glad it took the giants of the industry to tell us as much.
Okay, so admittedly, this is a step in the right direction. It’s like putting big money behind a good cause. For everyone who has ever worked in the nonprofit trenches who spend their days begging the haves for the have nots, this a dream come true.
Those in the spot light can move us forward to a point where we must be. Allowing private enterprise to bear this mantle means we might finally make the move forward instead of being held back by the shackles of the federal reform and imposition.
After all, wasn’t interoperability a staple of meaningful use; an “industry consortium to adopt common standards and protocols to provide sustainable, cost-effective, trusted access to patient data,” if you will?
Because of meaningful use, we were supposed to be singing in circles by now, discussing all of the advancements we’ve made; our coming together and our ascending to the precipice. Alas, little has been attained through federally funded meaningful use except implementation and wars of words.
We waited, didn’t we? Long enough? Perhaps, perhaps not; depends on who you ask. Farzad Mostashari says we should wait a bit longer for the results to role in. The boys at Allscripts, athenahealth, Cerner, Greenway, McKesson and Relay Health (imagine the feelings of all the other vendor’s CEOs who were left out of this pre-arranged agreement; I guess there’s mincing words anymore) decided private enterprise is the way for things to actually get done.
And while it’s an interesting experiment, I think I agree with some of the other more intelligent folks in the field. Until we see some sort of actual forward movement with this initiative and until there’s some proof of life, this is really nothing more than a stake in the ground. A happy public relations move designed to flex a little corporate muscle on the industry’s largest stage.
With the annual HIMSS conference once again over, now is as good as any time to look back and pontificate on what the experience brought. For this piece, I once again reached out the readers of this site for their insight for their perspective, who are, after all, those benefiting from the show and its sessions.
It should be noted that I asked for pros and cons of the show, and I received mostly positive feedback, which doesn’t surprise me. However, don’t take that to mean this is a positive puff piece. On the contrary, I am trying to offer a fair and balance response from attendees that HIMSS leadership can use to plan future conferences.
Obviously, as each of us has been told at one time or another, criticism – good or bad – helps us grow, change and expand. With that, I welcome your comments, positive or negative about the show. Perhaps as a collective, we can help lead our community forward in a manner that’s most beneficial to all it stakeholders.
Without further ado, here are the comments from our colleagues about their reactions to HIMSS13.
Peter Ransome, vice president sales and marketing, Westbrook Technologies, Inc.
Pros: HIMSS was once again a tremendously successful event. Westbrook came away with new resellers, customers and partners. We had a great opportunity to network, learn and meet other vendors. Our team found great value in the keynotes and educational sessions and especially Farzad Mostashari’s final day keynote. Today, healthcare reform is focused on meaningful outcomes and disease management. The next wave of reform will put more emphasis on the value of preventive medicine. There are still a lot of error-prone paper processes that negatively affect the quality of patient care — even in a healthcare organization that has implemented a leading EHR system. We’ve found that more technology doesn’t necessarily result in better care. With more than 1,000 EHR vendors competing for the same healthcare dollars, consolidation is inevitable. It will be interesting to see how HIMSS changes in 2014 and how the industry is affected by rapidly accelerating acquisition activity.
Cons: (Apparently, the show was so good, Ransome listed no cons.)
Bill Fera, MD, principle, healthcare advisory practice of Ernst & Young
Pros: HIMSS has become an extremely valuable venue for gaining real-world examples of how organizations are advancing strategies to better utilize data for the improvement of patient care. Having so many industry influencers in one forum really makes HIMSS stand out — what I take away from networking and informal conversations can be just as useful as what’s formally presented in the sessions.
Cons: The challenge with HIMSS is the sheer volume of everything. The overload of information can become a distraction if you don’t allocate your time in advance and stay focused on what you want to accomplish.
Pros: HIMSS is well-organized and it had a great location this year in relations to access to airport and hotels. Additionally, education tracks were comprehensive and interesting, and there is a good assortment of attendees (institution and title).
Cons: At HIMSS, there’s not enough opportunity for partner networking. HIMSS should have a new/upcoming technology track (not just big vendors pitching products) and there should be better management of keynotes as managing overflow was challenging.
Christopher Ellis, director, Vree Health
Pros: There was clear industry movement toward technology integration and interoperability – this is a very positive step forward and something that was spoken to more than acted upon, until now. More consistently usable, structured data will open many avenues for leveraging data for better quality of care. Coming from this meeting, I am energized to see that many of the speakers emphasized that while technology is a great enabler, solutions must begin and end with the patient in mind. Providers and vendors that emphasize patient engagement, across varying levels of patient technology literacy, are positioning themselves well. The HIMSS conference was an excellent forum to survey different approaches to solving the same problems, including coordination of care, assessing health risk and patient engagement. Organizations that have a deep and long-standing heritage in healthcare clearly hit the mark on approaching these in ways that are reflective of provider operational flow.
Cons: Bring your walking shoes next year.
Thanks for all of your candid feedback, guys. I know HIMSS was considered a success this year, but there’s always room for improvement and growth, and it’s nice to be able to report such positive feedback for all in attendance.
If you have something to add, please leave a comment below. Thanks!
Guest post by Harry Jordan, vice president and general manager, healthcare for LexisNexis.
The most important question in identity management is not: “Who are you?” It’s “What do we need to know about you?” And nowhere is the answer to that question more critical than in healthcare, where inadequate systems and processes can not only threaten business integrity and success, but jeopardize lives, as well. Inevitably, it is time to shift the focus of the discussion of identity management away from authentication methodology and toward the broader healthcare context in which identity management is no longer a luxury, but a necessity.
Effective patient/member identity management springs from this fundamental question: “Given what we are trying to accomplish through this particular transaction, what do we need to know about this individual to insure safety, integrity and trust?” Or, more elaborately: “What do we need to know to prove this individual is who they say they are and that they are authorized to access the information being requested based on those identity credentials?”
The answer is determined by the intersection of multiple factors: your objectives; product and service characteristics; population demographics and attitudes; the nature, value and riskiness of the transaction being performed; the point in the process and relationship where it takes place; and organizational risk tolerance. Getting the answer right is critical to the sustainability of health care organizations and, more importantly, the safety of the individuals they serve.
Identity fraud is the fastest growing crime in the United States, affecting more than 11 million adults in 2010. Medical identity fraud is the fastest growing type of identity theft. The Ponemon Institute estimates the annual economic impact of medical identity theft to be nearly $31 billion.
Health care consumers will, and should, expect their data to be secure at all times in order to protect their financial and physical well-being. Health care stakeholders will demand solutions that ensure they are dealing with the right person, at the right time, for the right transaction, thereby minimizing risk and negative impact on their health care delivery decisions, the health of their patients and overall business performance.
As a recent Gartner report states, identity management is “increasingly recognized as delivering real-world business value,” and “identity management agility improves support for new business initiatives and contributes significantly to profitability.” Identity management is rapidly evolving to encompass emerging risks and application variability. There are tools you can put in place now to meet the increasing demands of identity management.
Point solutions and one-size-fits-all implementations are being supplanted by or absorbed into more comprehensive and flexible approaches. These solutions provide identity management coherency across processes and relationships, as well as identity management consistency across multiple channels and organizations.
At the same time, they enable organizations to efficiently implement a wide range of identity management tools that blend the right identity elements together with the appropriate view and assurance level for each transaction. Established organizations can layer new identity management capabilities onto existing systems in the form of services. Merely extending enterprise identity management solutions will not work.
Three key concepts are at the core of the most successful health care consumer identity management solutions. They are general principles shared by diverse business-specific implementations.
1. Identity management is as much about business as about security. Identity validation (or “resolution”), verification and authentication – commonly regarded as security functions – have far-reaching business ramifications. How you perform them can strongly shape your most direct and therefore vital interactions with patients, payers, providers and other healthcare stakeholders. Thus, while it is important, and sometimes mandatory, to follow industry standards, it is also critical to make sure that the way in which you implement identity management is tailored to your market, business plan and mission to maximize business goals and minimize organizational risk.
2. “Know your health care consumer” is the point of balance for multiple – and possibly competing – objectives. “Know your healthcare consumer” is a phrase that traditionally has different meanings to health care consumer service than it does for security management Service people are concerned with raising healthcare consumer satisfaction by increasing access and ease. Security people are concerned with reducing risk by restricting access.
3. Ask for only what you need to know. Knowing more can, in fact, enable you to ask for less information. In identity management industry jargon, the objective is “friction reduction” through “data minimization.” Improve the health care consumer experience by not asking for information you don’t need.
Strong security can be, for the most part, invisible to the user. Analytics operating in the background can spot links between healthcare consumer data and suspicious entities or recognize suspicious patterns of verification failure.
Analytics can be integrated with business rules to adjust the security level and trigger appropriate treatments or approval of treatments. They can also be used to determine if the current transactional pattern of behavior is unusual. Reacting to healthcare consumer responses in real time – taking business rules for different product lines, channels and types of transactions, and an entity’s tolerance for risk – an identity management service can make dynamic decisions about when to invoke additional and/or stronger measures.
The number of identity-reliant transactions engaged in across the health care continuum is multiplying rapidly and becoming ever more critical to the success of individual health care organizations. When dealing with any situation involving the sharing of a patient’s personal health information it is essential these organizations ask themselves the fundamental question about the individual or entity with which they will be sharing the information: “What do we need to know about you?”
This question is the starting place for all other questions in identity management. The right answer is the key to making identity management an enabler of great services accessed with ease and delivered at a low coast and minimal risk of fraud.
Harry Jordan is Vice President and General Manager, Healthcare for the risk solutions business of LexisNexis. He directs the healthcare business, offering capabilities in health management, predictive claims fraud analytics and health information exchanges.
Along with HIMSS’ largest money maker of the year — its annual conference — it’s also time for the results of its annual leadership survey.
While the results, which are reflected in the infographic below, are certainly interesting there is one point that seems to raise a flag immediately.
Prior to that, however, let’s take a quick look at the results. Accordingly, about 66 percent of the all health IT leaders say their organization qualified for meaningful use Stage 1 and 75 percent of the same folks expect to qualify for Stage 2. Additionally, nearly 90 percent of those who took the survey say they be ready for the ICD-10 switch later this year.
As such, there’s quite a need to hire new IT folks to carry the torch.
Next, it appears that nearly 20 percent of respondents said their health systems’ security was breech (at least those who admitted as much) and that 22 percent of said security was a priority for the coming year, which should be the case if 20 percent of them faced a security issue.
I understand the scope of the survey and who its respondents are, but doesn’t it strike anyone else as slightly odd that all of the changes to come are related to the IT? All, or much, of the reform is designed to engage patients and bring them closer to their care providers? Shouldn’t it be implemented to help improve outcomes and to drive better results and make the system more fluid? I guess IT is going to be what get’s us there. But along the way, couldn’t more be done at the care level as well as the IT level? Could some of the hiring take place to serve patients rather than the practice?
I digress. Apparently, for now, we’ll have to be thankful that all of this change is leading to improved job growth and fixes to the breeches that await us.
