The patient was prepped and ready on the operating table when the surgeon realized he only had a report of a CT scan and would need the actual images that were taken by another health system to successfully perform the procedure. Normally, this would either delay the surgery or tempt the doctors to try the procedure without all the relevant information.
Luckily for everyone involved, the hospital was a participant of a health information exchange (HIE). Within a few minutes, the surgeon had access to the necessary images through our secure portal and began a successful operation.
Interoperability is critical for planned and unplanned procedures. Today, COVID-19 patients often enter a hospital short of breath in desperate need of emergency attention – yet, as many hospitals work now, that patient is expected to produce their extensive medical record of allergies, conditions, medications, and previous operations while gasping for air.
Although medicine continues to greatly advance, most care providers still dwell in the world of dinosaurs: faxing, printing, burning CD-ROMs, and relying on the patient’s ability to produce medical histories.
A recent report by the National Academy of Medicine found that workflow and inadequate technology usability were major factors contributing to America’s alarming medical staff burnout rate. Customers who use modern network technology greatly benefit from seamless access to patient files that used to lie beyond their health system’s servers, easily communicating between other healthcare providers and patients themselves. Patient care is hard enough today without technical and communication failures.
covered entity and a business associate. It is a HIPAA law created to ensure that all of the HIPAA compliance risks (administrative, physical, and technical) are identified, and a roadmap is designed to plan the fixes necessary to resolve the issues found.
The risk assessment was not part of the original Health Insurance Portability and Accountability Act of 1996. Instead, it was first introduced in the 2003 Privacy Rule and Security Rule amendments and was then further expanded upon in the Final Omnibus Rule of 2013.
HIPAA legislation defines a Covered Entity (CE) as anyone that handles PHI during day-to-day business operations. Most businesses working in the healthcare industry are considered Covered Entities.
The U.S. Department of Health and Human Services (HHS) officially defines a CE as; Healthcare Providers such as doctors, dentists, nursing homes, pharmacies, health insurance companies, HMOs, Medicare, Medicaid, and Clearinghouses.
A business associate is any third party business or organization that handles individually identifiable health data on behalf of a covered entity, and the risk assessment is often considered the starting point to achieve HIPAA compliance.
What is a risk assessment?
A risk assessment is commonly the first task undertaken when a covered entity and a business associate enter into Business Associate Agreement (BAA). Its purpose is to identify areas within the business that process, store, and transmit protected health information (PHI) that are in the scope of HIPAA compliance.
PHI is patient data that the law is meant to safeguard, such as data that can be used to identify an individual personally. Examples may include patient names, email addresses, social security numbers, insurance certificates, and so on.
It takes a pandemic to reveal how much digital technologies are ignored in the healthcare sector. The COVID-19 pandemic is dramatically transforming the healthcare sector and how professionals gather medical intelligence. Almost every physician worldwide has been part of a telemedicine movement to encourage patients to embrace safe and virtual appointments.
Consequently, preparing for a virtual appointment requires some getting used to. As a rule of thumb, patients can struggle to explain some of their symptoms, even in face-to-face interaction. That’s where real-time medical examination can help reduce misunderstandings.
In the virtual world, gathering evidence such as taking photos or filming a video that shows your symptoms and asking the right questions can guide the doctor to the appropriate diagnosis.
However, while we focus on making telehealth more accessible to patients, we also need to prepare doctors to make the most of it.
Find reliable HIPAA-compliant hosting
Gathering and storing digital data is not a novelty for healthcare centers. Nevertheless, keeping data storage HIPAA-compliant can become a challenge with the increased number of telehealth appointments. Protecting patients’ records in a fully digital world means relying on a highly secured data hosting strategy, as per Atlantic.net.
Contrary to common belief, there is no such thing as a HIPAA hosting body that can verify the compliance claims of each provider. For healthcare centers that need to adapt to the growing telemedicine demand, the quest for a robust, reliable, and HIPAA hosting provider becomes tricky and expensive.
By Rahul Varshneya, founder and president, Arkenea.
Cloud computing has become the new watchword for healthcare organizations across the globe. The adoption of cloud technology has been escalating at a frenetic pace and, as recent research suggests, the global market for cloud technologies in the industry is expected to reach $35 billion by 2020.
The underlying reason behind the recent hype in this technology is simple though. If healthcare institutions were plainly service providers before, today, they’re true technology organizations that now depend on their IT departments for administrative, clinical, and financial purposes.And that’s not all. As new payment models are added to the equation and patient expectations change, technology has become vital to drive efficiency and improve patient care.
In this article, we’ll be looking at a few things that have been made possible in healthcare due to the rapid adoption of cloud technology.
1) Reduced Costs of Data Storage
On-premises healthcare data centers not only demand an investment in hardware ahead of time, but they also come with ongoing costs of maintaining physical spaces, servers, and cooling solutions among many other things.
“Cloud solutions are very beneficial from the standpoint that as you migrate data, you don’t need to maintain your own datasets which can be costly and expensive,” explains Forward Health Group CTO Jeff Thomas. “Maintaining datasets on-site can also be expensive in that it takes up real estate which can sometimes be used for something else.”
By managing the structure, harmonious functioning and maintenance of cloud storage services, cloud computing vendors can significantly aid organizations in lowering their data storage costs and enable them to concentrate their efforts on caring for their patients.
Healthcare organizations can also leverage custom cloud EMR or EHR software to fit the needs of their specific practice. That way, they get exactly what they’re looking for without them having to dig a hole in their pockets.
The scale of the coronavirus pandemic is impacting every facet of daily life. As COVID-19 continues its global spread, authorities are restricting large gatherings of people and enforcing stay at home protocols. This crisis is forcing us to adapt to a “new normal,” and technology is taking center stage to help us through the transition.
In fact, as the popularity and usefulness of video delivery over the internet grows, reports reveal that live streaming has already attracted 47% more users than this time last year. Through the influx of telehealth, remote learning, remote video conferencing and canceled events, live streaming has become a versatile — and essential — tool that is changing the way we stay in contact with others, particularly in the age of social distancing.
Live streaming is gaining in popularity across many different industries. Until the advent of live streaming technologies, 911 operators only had one source of information to assess an emergency situation: the caller. Now, thanks to advances in live streaming technologies, 911 operators are empowered with unprecedented access to emergency situations via live video.
Carbyne, a technology company that delivers actionable data from connected mobile devices to emergency communications centers, uses live streaming to enhance critical response capabilities. Through the combination of real-time video and location data, Carbyne provides emergency personnel with a more accurate assessment of the scene before they arrive, reducing emergency response times by more than 60%.
While Carbyne’s technology has proven beneficial across the globe for several years, the COVID-19 pandemic has brought additional benefits to the technology. Carbyne is effectively able to remotely evaluate potential COVID-19 cases and forward potentially infected individuals to medical professionals via telehealth services while maintaining HIPAA compliance.
Additionally, the Carbyne platform has been used in some cities to help track COVID-19 cases, delivering a heat map that details coronavirus-related calls so the municipality can better allocate resources and prevent the disease from spreading. As one hotspot hit hard by the virus, New Orleans uses Carbyne’s COVID-19 service to manage emergency calls and help individuals who have contracted the virus contact telehealth professionals instead of flooding emergency rooms. Carbyne has been fielding 70% of the city’s emergency calls, a majority of which were related to COVID-19 symptoms.
By Heather Annolino, senior director healthcare practice, Ventiv.
As hospitals are working vigorously to address the health care needs of its patient population during the COVID-19 pandemic, they are unintentionally leaving themselves and their patients exposed to cybersecurity risks.
Measures implemented to protect workers and patients, including expanded use of telehealth and telemedicine, remote work and bringing new equipment such as ventilators online can leave data exposed, and institutions vulnerable to hackers and scammers. These cyberattacks can affect supply chains and the ability to leverage healthcare data from the COVID-19 pandemic for use in the future for other crises.
In March 2020, the Office for Civil Rights announced it would not enforce penalties for HIPAA noncompliance against providers leveraging telehealth platforms that may not comply with privacy regulations. This measure rapidly expanded the use of telehealth and telemedicine over the past several weeks, allowing providers to utilize videoconferencing platforms, including WebEx, Zoom and Skype.
The use of telemedicine improves patient access and assists with alleviating the additional burden on healthcare systems by limiting in-person care during the COVID-19 pandemic. If any incidents do occur, they should be entered into the facility’s health care risk management/patient safety software system. This technology is designed to help healthcare organizations see all of their data in one place, making it easier to learn from the incidents through analysis. While doing that now might be difficult, it is essential to capture this data to improve preparation for the next disaster and prevent patient harm.
Although telemedicine presents a lower risk from a risk management perspective, it is still important to provide consistent processes and protections to mitigate potential threats. During these uncertain times, telemedicine is the best option for providers to continue treating select segments of their patient population, as well as triage potential COVID-19 cases. Whether health care organizations are looking to expand (or even begin) the use of telemedicine capabilities, it is crucial to outline best practices for consent, credentialing, and security and privacy to assist with mitigating potential risks.
Here are a few strategies facilities should consider:
Security and Privacy
Under normal circumstances, healthcare facilities have difficulty bringing key equipment online securely. As facilities are currently working tirelessly to address COVID-19 patients’ needs in addition to continuing to provide care to non-COVID-19 patients, there is a potential increase of security risks as additional medical equipment and medical IoT devices integrate into the network.
By investing in and deploying cybersecurity procedures and protections, including backup and downtime procedures, healthcare facilities can reduce the risk of potential phishing and ransomware attempts. These measures should include ensuring all practitioners are using communication apps recommended by the U.S. Department of Health & Human Services Office for Civil Rights and secure telephone connections as well.
By Carl Kunkleman, senior vice president and co-founder, ClearDATA.
Working in the world of healthcare security and compliance, I find one of the biggest dangers organizations face is having a false sense of security that their PHI is adequately protected. I’ve done hundreds of security risk assessments, and I have yet to find one single organization that did not have a security gap they were unaware they had in one or more of their administrative, technical or physical safeguards.
Add to this, the complicated current state of healthcare battling COVID-19, and we are likely to see administrative systems that have gaps in off-boarding or off-boarding employees, technical infrastructures that didn’t have time or resources for patch management, and physical scenarios in makeshift triage units with compromised physical safeguards that simply cannot be addressed in the current haste to stop the spread of the virus.
Sadly, this sense of chaos creates the ideal conditions for the hackers of the world looking to infiltrate via phishing, malware and ransomware and more. Once this spread is arrested and we all get a moment to catch our breath and assess business practices, a good move would be to conduct a security risk assessment known as an SRA. Your internal teams and resources are stressed, overworked and possibly burned out and an SRA can identify security gaps that will inevitably arise and present an actionable plan to remediate. This will help reduce risks while protecting your organization’s finances and reputation while we all find out what “getting back to normal” will mean.
Right now, we are all doing everything we can. And the Department of Health and Human Services recognized that with their decision last week to waive penalties for providers that are serving patients through everyday communications technologies during the COVID-19 public health emergency. A security risk assessment this summer will help you put the compliance health of your organization back in order. In addition to the HIPAA requirement that you have an SRA on file annually, it helps unite your team in a strategic path forward by articulating what your highest and lowest risks are, before a hacker uncovers them.
Because an SRA covers administrative, technical and security safeguards, your entire organization will benefit from the process. I continue to find organizations who think their PHI is protected because they have password protected their computers and mobile devices. Our penetration testing has revealed that passwords are relatively easy to defeat. We continue to find gaps in encryption, patch management and even with PHI inventories. If you don’t know where all of your PHI resides, how can you protect it?
Virtual visits help providers increase productivity by adding revenue and reducing travel to different clinical settings. However, despite these obvious advantages, 2019 saw an abysmally low utilization rate of less than 10%. Things have monumentally changed. As a local physician characterized telehealth today, convenience is the new quality. Love it or hate it, telehealth is here to stay.
The primary care collaborative conducts a weekly survey of physicians, nurse practitioners, and physician assistants working in primary care on how their practices are responding to the COVID-19 outbreak. Over 80% of respondents indicate their patients accept telehealth visits and nearly half of the respondents plan to continue using telehealth after the COVID-19 crisis is controlled.
Prior to the pandemic, telehealth was seen as convenient and time efficient for patients. It also showed promise for providing access to care for various underserved populations. Today we’ve gone beyond convenience as telehealth has become a necessity for both patients and providers. Increased utilization has been made possible by the relaxation of rules and requirements by both government and commercial health plans. Notably, the use of telehealth had been restricted by design.
Health plans wanted to control how and where telehealth was offered along with who could provide the service. For the duration of the COVID-19 health emergency, most health plans are allowing telehealth to be used in place of in-person encounters. Many are waiving patient cost share and paying providers the same rate as an in-person visit.
Medicare has made the following changes effective during the COVID-19 health emergency: telehealth can be used with both new and established patients, telehealth via telephone will be reimbursed, and providers are allowed to treat patients across state lines. In addition, the Centers for Medicare and Medicaid Services (CMS) is waiving HIPAA violation penalties for utilizing technologies such as FaceTime or Skype.
There are several regulatory compliance requirements that healthcare organizations must follow. Even so, it’s the Health Insurance Portability and Accountability Act (HIPAA) that gets the most recognition. If your organization is involved in the healthcare industry, you should ensure that it complies with the Health Information Technology for Economic and Clinical Health Act (HITECH) as well.
These two compliance requirements are somehow interrelated. However, HITECH is meant to enhance information technology in the healthcare industry while protecting the security and privacy concerns regarding ePHI. HITECH significantly modified HIPAA and the Social Security Act. Therefore, it can be difficult to understand how these regulatory compliance frameworks complement each other.
How HITECH And HIPAA Are Similar
HITECH and HIPAA compliance is overseen by the Health and Human Services Department (HHS). Typically, healthcare organizations tend to focus on HIPAA compliance since it is the backbone of the Privacy Rule that sets national standards regarding PHI and medical record protection. The Privacy Rule was adopted in 2000. Since then, HHS has only made one modification. That was in 2002 when the Privacy Rule was modified to become one of the initial information privacy and security regulations.
The Office of the National Coordinator for Health Information Technology (ONC) is mandated to promote the quality of healthcare by advancing health IT. ONC is also tasked with the role of securing ePHI and establishing procedures for electronic health records (EHRs) to promote privacy.
Therefore, while HITECH and HIPAA complement each other, they are dissimilar. HITECH focuses on information technology as well as the preservation of electronic information, whereas HIPAA dwells on protecting privacy as well as expanding beyond information systems.
How HITECH And HIPAA Differ
Although HITECH and HIPAA have many similarities, the two regulations also differ on various vital details. HITECH was meant to expand HIPAA. Even so, the latter remains focused on addressing privacy and breach notification issues to protect against identity theft and fraud. On the other hand, HITECH differs from HIPAA because it established restructured criminal and civil compliance penalties. Furthermore, HITECH extended HIPAA’s breach notification requirement beyond covered organizations also to include business associates.
From an IT perspective, compliance managers ought to focus on the significance of robust encryption. In case malicious actors breach the ePHI, effective encryption will mitigate rule violations. Therefore, if the encryption makes the information unreadable, the organization won’t be fined. Nonetheless, proving effective encryption means complying with the NIST Federal Information Process Standard. Therefore, healthcare regulatory compliance can only be realized if you fully understand your organization’s IT infrastructure.
In a new survey conducted by Kareo, independent medical practices and billing companies shared the unprecedented challenges created for them and their patients by the coronavirus pandemic. More than 600 medical practices and 140 medical billing companies were interviewed by Kareo in late March.
The research uncovered the immediate actions medical practices and clinics are taking to ensure patient access to care through telemedicine solutions with 75% reporting either a current telemedicine option or the intent to deploy one soon. The survey also highlighted the risks to patients and independent medical practices with 9% of respondents reporting practice closures with many more concerned about potential practice closures as patient office visits plummet due to “stay at home” orders and other concerns. As Kareo was publishing these survey results, the Coronavirus Aid, Relief and Economic Security (CARES) Act was signed into law, potentially providing a lifeline to the most severely impacted medical practices.
By mid-March, independent healthcare professionals were already facing the practice and personal impacts of the coronavirus pandemic, with 28% of practices only offering telemedicine visits and 9% of practices already closed, with many more concerned about the risk of future closure. While 63% of practices were still delivering on-site care, most of these practices were exploring options to move to hybrid or exclusively telemedicine-based care.
Kareo’s ongoing analysis of actual patient encounters across over 50,000 medical providers, found that by late March independent medical practices has experienced an approximately 35% decline in patient volume, raising alarm around both the apparent inability for patients to access care and the operational viability of medical practices if this trend continues.
Kareo’s research also highlighted the impact felt by the more than 5,000 medical billing companies across the country, with these service providers reporting immediate impacts on their businesses due to precipitous decline in medical practice patient volume. These companies play a critical role in the healthcare ecosystem by providing medical billing expertise that is essential for the financial viability of many independent medical practices. Financial risk to these service providers creates another risk for medical practices to manage as practice volumes ultimately return to normal.
To address “stay at home” orders and patient concerns about face-to-face medical encounters, healthcare professionals have rapidly turned to telemedicine solutions. By mid-March, fully 41% of independent medical practices reported offering telemedicine, up from 22% reported in Kareo’s State of the Independent Practice Report in late 2018.
An additional 34% reported current efforts to deploy telemedicine options, which ultimately will result in the vast majority (75%) of medical practices providing remote care solutions. In the third week of March, Kareo saw a 500% week-over-week increase in telemedicine visits while working to accommodate an over 3,000% increase in telemedicine adoption.
The easing of regulatory requirements related to telemedicine security and functionality allowed medical practices to access a broader set of possible telemedicine solutions, ranging from medically-specific options like Kareo Telemedicine that are HIPAA compliant and fully integrated with the broader patient engagement, electronic health record, and billing technology platform all the way to general video call technology such as Apple FaceTime. Easing Medicare, Medicaid and commercial insurance reimbursement requirements for telemedicine also supported the rapid pivot to virtual-care and are essential in supporting the financial viability of medical practices and their supporting medical billers.
“Independent medical practices stand as the cornerstone of the U.S. healthcare system and are responsible for more than two-thirds of annual patient visits,” said Dan Rodrigues, founder and CEO of Kareo. “Yet our research shows that even doctors are not immune to the economic impact of the coronavirus pandemic. Telemedicine and the CARES Act provide critical lifelines to ensure independent practices remain available to their patients through this crisis.”
There are several government programs that practices can take advantage of to ease financial burdens and maintain their current staff levels. Small business loans, tax relief, Medicare payment advances and grants are a few of the options currently available. In combination, these programs can help ensure that independent medical practices and clinics emerge from the COVID-19 pandemic with minimal damage to the long-term viability of their business.
The CARES Act expands eligibility for loans under Section 7(a) of the Small Business Act and authorizes the Small Business Administration to make $349 billion in Section 7(a) loans. The CARES Act also offers an employee retention tax credit (Employee Retention Credit) designed to encourage eligible employers to keep employees on their payroll. The Centers for Medicare & Medicaid Services (CMS) has expanded their current Accelerated and Advance Payment Program to a broader group of Medicare Part A providers and Part B suppliers. Details on the eligibility, and the request process are outlined in the Expansion of the Accelerated and Advance Payment Program fact sheet. The expansion of these programs is also only for the duration of the public health emergency. For more information on resources available to help with the COVID-19 crisis, visit Kareo.com/covid-19.