By Rahul Varshneya, founder and president, Arkenea.
Cloud computing has become the new watchword for healthcare organizations across the globe. The adoption of cloud technology has been escalating at a frenetic pace and, as recent research suggests, the global market for cloud technologies in the industry is expected to reach $35 billion by 2020.
The underlying reason behind the recent hype in this technology is simple though. If healthcare institutions were plainly service providers before, today, they’re true technology organizations that now depend on their IT departments for administrative, clinical, and financial purposes.And that’s not all. As new payment models are added to the equation and patient expectations change, technology has become vital to drive efficiency and improve patient care.
In this article, we’ll be looking at a few things that have been made possible in healthcare due to the rapid adoption of cloud technology.
1) Reduced Costs of Data Storage
On-premises healthcare data centers not only demand an investment in hardware ahead of time, but they also come with ongoing costs of maintaining physical spaces, servers, and cooling solutions among many other things.
“Cloud solutions are very beneficial from the standpoint that as you migrate data, you don’t need to maintain your own datasets which can be costly and expensive,” explains Forward Health Group CTO Jeff Thomas. “Maintaining datasets on-site can also be expensive in that it takes up real estate which can sometimes be used for something else.”
By managing the structure, harmonious functioning and maintenance of cloud storage services, cloud computing vendors can significantly aid organizations in lowering their data storage costs and enable them to concentrate their efforts on caring for their patients.
Healthcare organizations can also leverage custom cloud EMR or EHR software to fit the needs of their specific practice. That way, they get exactly what they’re looking for without them having to dig a hole in their pockets.
The scale of the coronavirus pandemic is impacting every facet of daily life. As COVID-19 continues its global spread, authorities are restricting large gatherings of people and enforcing stay at home protocols. This crisis is forcing us to adapt to a “new normal,” and technology is taking center stage to help us through the transition.
In fact, as the popularity and usefulness of video delivery over the internet grows, reports reveal that live streaming has already attracted 47% more users than this time last year. Through the influx of telehealth, remote learning, remote video conferencing and canceled events, live streaming has become a versatile — and essential — tool that is changing the way we stay in contact with others, particularly in the age of social distancing.
Live streaming is gaining in popularity across many different industries. Until the advent of live streaming technologies, 911 operators only had one source of information to assess an emergency situation: the caller. Now, thanks to advances in live streaming technologies, 911 operators are empowered with unprecedented access to emergency situations via live video.
Carbyne, a technology company that delivers actionable data from connected mobile devices to emergency communications centers, uses live streaming to enhance critical response capabilities. Through the combination of real-time video and location data, Carbyne provides emergency personnel with a more accurate assessment of the scene before they arrive, reducing emergency response times by more than 60%.
While Carbyne’s technology has proven beneficial across the globe for several years, the COVID-19 pandemic has brought additional benefits to the technology. Carbyne is effectively able to remotely evaluate potential COVID-19 cases and forward potentially infected individuals to medical professionals via telehealth services while maintaining HIPAA compliance.
Additionally, the Carbyne platform has been used in some cities to help track COVID-19 cases, delivering a heat map that details coronavirus-related calls so the municipality can better allocate resources and prevent the disease from spreading. As one hotspot hit hard by the virus, New Orleans uses Carbyne’s COVID-19 service to manage emergency calls and help individuals who have contracted the virus contact telehealth professionals instead of flooding emergency rooms. Carbyne has been fielding 70% of the city’s emergency calls, a majority of which were related to COVID-19 symptoms.
By Heather Annolino, senior director healthcare practice, Ventiv.
As hospitals are working vigorously to address the health care needs of its patient population during the COVID-19 pandemic, they are unintentionally leaving themselves and their patients exposed to cybersecurity risks.
Measures implemented to protect workers and patients, including expanded use of telehealth and telemedicine, remote work and bringing new equipment such as ventilators online can leave data exposed, and institutions vulnerable to hackers and scammers. These cyberattacks can affect supply chains and the ability to leverage healthcare data from the COVID-19 pandemic for use in the future for other crises.
In March 2020, the Office for Civil Rights announced it would not enforce penalties for HIPAA noncompliance against providers leveraging telehealth platforms that may not comply with privacy regulations. This measure rapidly expanded the use of telehealth and telemedicine over the past several weeks, allowing providers to utilize videoconferencing platforms, including WebEx, Zoom and Skype.
The use of telemedicine improves patient access and assists with alleviating the additional burden on healthcare systems by limiting in-person care during the COVID-19 pandemic. If any incidents do occur, they should be entered into the facility’s health care risk management/patient safety software system. This technology is designed to help healthcare organizations see all of their data in one place, making it easier to learn from the incidents through analysis. While doing that now might be difficult, it is essential to capture this data to improve preparation for the next disaster and prevent patient harm.
Although telemedicine presents a lower risk from a risk management perspective, it is still important to provide consistent processes and protections to mitigate potential threats. During these uncertain times, telemedicine is the best option for providers to continue treating select segments of their patient population, as well as triage potential COVID-19 cases. Whether health care organizations are looking to expand (or even begin) the use of telemedicine capabilities, it is crucial to outline best practices for consent, credentialing, and security and privacy to assist with mitigating potential risks.
Here are a few strategies facilities should consider:
Security and Privacy
Under normal circumstances, healthcare facilities have difficulty bringing key equipment online securely. As facilities are currently working tirelessly to address COVID-19 patients’ needs in addition to continuing to provide care to non-COVID-19 patients, there is a potential increase of security risks as additional medical equipment and medical IoT devices integrate into the network.
By investing in and deploying cybersecurity procedures and protections, including backup and downtime procedures, healthcare facilities can reduce the risk of potential phishing and ransomware attempts. These measures should include ensuring all practitioners are using communication apps recommended by the U.S. Department of Health & Human Services Office for Civil Rights and secure telephone connections as well.
By Carl Kunkleman, senior vice president and co-founder, ClearDATA.
Working in the world of healthcare security and compliance, I find one of the biggest dangers organizations face is having a false sense of security that their PHI is adequately protected. I’ve done hundreds of security risk assessments, and I have yet to find one single organization that did not have a security gap they were unaware they had in one or more of their administrative, technical or physical safeguards.
Add to this, the complicated current state of healthcare battling COVID-19, and we are likely to see administrative systems that have gaps in off-boarding or off-boarding employees, technical infrastructures that didn’t have time or resources for patch management, and physical scenarios in makeshift triage units with compromised physical safeguards that simply cannot be addressed in the current haste to stop the spread of the virus.
Sadly, this sense of chaos creates the ideal conditions for the hackers of the world looking to infiltrate via phishing, malware and ransomware and more. Once this spread is arrested and we all get a moment to catch our breath and assess business practices, a good move would be to conduct a security risk assessment known as an SRA. Your internal teams and resources are stressed, overworked and possibly burned out and an SRA can identify security gaps that will inevitably arise and present an actionable plan to remediate. This will help reduce risks while protecting your organization’s finances and reputation while we all find out what “getting back to normal” will mean.
Right now, we are all doing everything we can. And the Department of Health and Human Services recognized that with their decision last week to waive penalties for providers that are serving patients through everyday communications technologies during the COVID-19 public health emergency. A security risk assessment this summer will help you put the compliance health of your organization back in order. In addition to the HIPAA requirement that you have an SRA on file annually, it helps unite your team in a strategic path forward by articulating what your highest and lowest risks are, before a hacker uncovers them.
Because an SRA covers administrative, technical and security safeguards, your entire organization will benefit from the process. I continue to find organizations who think their PHI is protected because they have password protected their computers and mobile devices. Our penetration testing has revealed that passwords are relatively easy to defeat. We continue to find gaps in encryption, patch management and even with PHI inventories. If you don’t know where all of your PHI resides, how can you protect it?
Virtual visits help providers increase productivity by adding revenue and reducing travel to different clinical settings. However, despite these obvious advantages, 2019 saw an abysmally low utilization rate of less than 10%. Things have monumentally changed. As a local physician characterized telehealth today, convenience is the new quality. Love it or hate it, telehealth is here to stay.
The primary care collaborative conducts a weekly survey of physicians, nurse practitioners, and physician assistants working in primary care on how their practices are responding to the COVID-19 outbreak. Over 80% of respondents indicate their patients accept telehealth visits and nearly half of the respondents plan to continue using telehealth after the COVID-19 crisis is controlled.
Prior to the pandemic, telehealth was seen as convenient and time efficient for patients. It also showed promise for providing access to care for various underserved populations. Today we’ve gone beyond convenience as telehealth has become a necessity for both patients and providers. Increased utilization has been made possible by the relaxation of rules and requirements by both government and commercial health plans. Notably, the use of telehealth had been restricted by design.
Health plans wanted to control how and where telehealth was offered along with who could provide the service. For the duration of the COVID-19 health emergency, most health plans are allowing telehealth to be used in place of in-person encounters. Many are waiving patient cost share and paying providers the same rate as an in-person visit.
Medicare has made the following changes effective during the COVID-19 health emergency: telehealth can be used with both new and established patients, telehealth via telephone will be reimbursed, and providers are allowed to treat patients across state lines. In addition, the Centers for Medicare and Medicaid Services (CMS) is waiving HIPAA violation penalties for utilizing technologies such as FaceTime or Skype.
There are several regulatory compliance requirements that healthcare organizations must follow. Even so, it’s the Health Insurance Portability and Accountability Act (HIPAA) that gets the most recognition. If your organization is involved in the healthcare industry, you should ensure that it complies with the Health Information Technology for Economic and Clinical Health Act (HITECH) as well.
These two compliance requirements are somehow interrelated. However, HITECH is meant to enhance information technology in the healthcare industry while protecting the security and privacy concerns regarding ePHI. HITECH significantly modified HIPAA and the Social Security Act. Therefore, it can be difficult to understand how these regulatory compliance frameworks complement each other.
How HITECH And HIPAA Are Similar
HITECH and HIPAA compliance is overseen by the Health and Human Services Department (HHS). Typically, healthcare organizations tend to focus on HIPAA compliance since it is the backbone of the Privacy Rule that sets national standards regarding PHI and medical record protection. The Privacy Rule was adopted in 2000. Since then, HHS has only made one modification. That was in 2002 when the Privacy Rule was modified to become one of the initial information privacy and security regulations.
The Office of the National Coordinator for Health Information Technology (ONC) is mandated to promote the quality of healthcare by advancing health IT. ONC is also tasked with the role of securing ePHI and establishing procedures for electronic health records (EHRs) to promote privacy.
Therefore, while HITECH and HIPAA complement each other, they are dissimilar. HITECH focuses on information technology as well as the preservation of electronic information, whereas HIPAA dwells on protecting privacy as well as expanding beyond information systems.
How HITECH And HIPAA Differ
Although HITECH and HIPAA have many similarities, the two regulations also differ on various vital details. HITECH was meant to expand HIPAA. Even so, the latter remains focused on addressing privacy and breach notification issues to protect against identity theft and fraud. On the other hand, HITECH differs from HIPAA because it established restructured criminal and civil compliance penalties. Furthermore, HITECH extended HIPAA’s breach notification requirement beyond covered organizations also to include business associates.
From an IT perspective, compliance managers ought to focus on the significance of robust encryption. In case malicious actors breach the ePHI, effective encryption will mitigate rule violations. Therefore, if the encryption makes the information unreadable, the organization won’t be fined. Nonetheless, proving effective encryption means complying with the NIST Federal Information Process Standard. Therefore, healthcare regulatory compliance can only be realized if you fully understand your organization’s IT infrastructure.
In a new survey conducted by Kareo, independent medical practices and billing companies shared the unprecedented challenges created for them and their patients by the coronavirus pandemic. More than 600 medical practices and 140 medical billing companies were interviewed by Kareo in late March.
The research uncovered the immediate actions medical practices and clinics are taking to ensure patient access to care through telemedicine solutions with 75% reporting either a current telemedicine option or the intent to deploy one soon. The survey also highlighted the risks to patients and independent medical practices with 9% of respondents reporting practice closures with many more concerned about potential practice closures as patient office visits plummet due to “stay at home” orders and other concerns. As Kareo was publishing these survey results, the Coronavirus Aid, Relief and Economic Security (CARES) Act was signed into law, potentially providing a lifeline to the most severely impacted medical practices.
By mid-March, independent healthcare professionals were already facing the practice and personal impacts of the coronavirus pandemic, with 28% of practices only offering telemedicine visits and 9% of practices already closed, with many more concerned about the risk of future closure. While 63% of practices were still delivering on-site care, most of these practices were exploring options to move to hybrid or exclusively telemedicine-based care.
Kareo’s ongoing analysis of actual patient encounters across over 50,000 medical providers, found that by late March independent medical practices has experienced an approximately 35% decline in patient volume, raising alarm around both the apparent inability for patients to access care and the operational viability of medical practices if this trend continues.
Kareo’s research also highlighted the impact felt by the more than 5,000 medical billing companies across the country, with these service providers reporting immediate impacts on their businesses due to precipitous decline in medical practice patient volume. These companies play a critical role in the healthcare ecosystem by providing medical billing expertise that is essential for the financial viability of many independent medical practices. Financial risk to these service providers creates another risk for medical practices to manage as practice volumes ultimately return to normal.
To address “stay at home” orders and patient concerns about face-to-face medical encounters, healthcare professionals have rapidly turned to telemedicine solutions. By mid-March, fully 41% of independent medical practices reported offering telemedicine, up from 22% reported in Kareo’s State of the Independent Practice Report in late 2018.
An additional 34% reported current efforts to deploy telemedicine options, which ultimately will result in the vast majority (75%) of medical practices providing remote care solutions. In the third week of March, Kareo saw a 500% week-over-week increase in telemedicine visits while working to accommodate an over 3,000% increase in telemedicine adoption.
The easing of regulatory requirements related to telemedicine security and functionality allowed medical practices to access a broader set of possible telemedicine solutions, ranging from medically-specific options like Kareo Telemedicine that are HIPAA compliant and fully integrated with the broader patient engagement, electronic health record, and billing technology platform all the way to general video call technology such as Apple FaceTime. Easing Medicare, Medicaid and commercial insurance reimbursement requirements for telemedicine also supported the rapid pivot to virtual-care and are essential in supporting the financial viability of medical practices and their supporting medical billers.
“Independent medical practices stand as the cornerstone of the U.S. healthcare system and are responsible for more than two-thirds of annual patient visits,” said Dan Rodrigues, founder and CEO of Kareo. “Yet our research shows that even doctors are not immune to the economic impact of the coronavirus pandemic. Telemedicine and the CARES Act provide critical lifelines to ensure independent practices remain available to their patients through this crisis.”
There are several government programs that practices can take advantage of to ease financial burdens and maintain their current staff levels. Small business loans, tax relief, Medicare payment advances and grants are a few of the options currently available. In combination, these programs can help ensure that independent medical practices and clinics emerge from the COVID-19 pandemic with minimal damage to the long-term viability of their business.
The CARES Act expands eligibility for loans under Section 7(a) of the Small Business Act and authorizes the Small Business Administration to make $349 billion in Section 7(a) loans. The CARES Act also offers an employee retention tax credit (Employee Retention Credit) designed to encourage eligible employers to keep employees on their payroll. The Centers for Medicare & Medicaid Services (CMS) has expanded their current Accelerated and Advance Payment Program to a broader group of Medicare Part A providers and Part B suppliers. Details on the eligibility, and the request process are outlined in the Expansion of the Accelerated and Advance Payment Program fact sheet. The expansion of these programs is also only for the duration of the public health emergency. For more information on resources available to help with the COVID-19 crisis, visit Kareo.com/covid-19.
The healthcare industry is ripe for disruption and transformation. According to McKinsey & Company, U.S. pharma is “in a state of flux.” Seismic shifts are happening, from significant merger and acquisition (M&A) activity to pharmacy store closures to changes in strategic partnerships between major health insurers and pharmacy benefit managers (PBMs), and the seemingly inevitable entry of Amazon into the market. Moreover, the healthcare ecosystem continues to face challenges as it attempts to comply with regulations like HIPAA and HITECH.
During this period of change, McKinsey’s research establishes three imperatives for healthcare businesses to consider. The first is to pursue business models that deliver a lower total cost of care for consumers and employers. The second involves leveraging data aggregation and big data analytics to generate insights and create value, and the third is to put the consumer at the center of everything by creating innovative ways to bring more consumer-driven insights and actions into the business.
The growth in digital health indicates that many businesses are acting on these imperatives and are finding commercial success. The digital health sector currently is estimated at $86.4 billion and is predicted to grow by almost 30 percent year-over-year through 2025. But with such a vast and complex industry like healthcare, it is challenging to appreciate the realities of digital disruption without drilling down into specific sub-sectors and profiling some of the disruptors that are in the process of altering their landscapes.
Following are some examples of how the “value pool” is shifting in this industry, resulting in cost savings for patients through the elimination of waste.
Pharmacy benefit management value pool shifts by removing inefficiencies
Pharmacy benefit management (PBM) includes third-party administrators for prescription drug programs at insurance companies, businesses, self-insured employers and government health plans. PBMs have a vast market valuation of $368 billion, as of 2018, within the U.S. healthcare system and an expected annual growth forecast of more than 9 percent.
Despite the size of the market, however, many PBMs do not have the technical sophistication to flourish in the digital world, which has given rise to companies such as RxSense. Previously a PBM, RxSense pivoted to meet the real-time needs of customers by providing a business-to-business (B2B) digital platform for the whole PBM industry. Its goal is to bypass problems with legacy PBM systems, including a lack of innovation, inefficiencies, inflexibility and challenges around accuracy and transparency.
The next step beyond digitization for players such as RxSense will be the application of artificial intelligence (AI) and machine learning technologies to further increase administrative efficiency, drive down costs and, ultimately, improve clinical outcomes.
It’s perhaps the greatest gift a person can have, but we usually take it for granted until it’s gone. Without it, nothing else in life is quite the same. And once it’s gone, it can be very hard to get it back. And while patients play the ultimate role in safeguarding and directing their health, the truth is that no one can do it alone. No matter what your role in the healthcare industry may be, you are charged with a sacred obligation to treat your patients with respect, honor, and care.
No matter who our patients are — rich or poor, young or old, sick or well — they depend on healthcare experts to help them protect this most precious gift of health. They expect and assume that those whom they entrust with their lives and the lives of those they love will be respectful of that trust, will care for them and their dear ones ethically and honorably. But what does this mean for your clinical practice? What do healthcare ethics look like in the year 2020?
Honoring the Human in the Technological Age
Privacy is one of the most sacred rights and significant concerns in healthcare. However, there’s no escaping the fact that we live in the era of big data, and there’s also no escaping the fact that big data can be a tremendous asset in healthcare. Even if a patient is thousands of miles away from home and from their primary healthcare providers, electronic health data can facilitate the sharing of essential medical records, from scans to lab results, with just the click of a button.
But how, in this age of big data and breathtakingly fast technological evolution do we ensure that respect for the human is not lost? How do we avoid reducing individual patients to a mere system of lab results and scans? How do we prevent losing the person in a sea of data sets? That will and must be one of the principal ethical considerations in 2020.
The HIPAA outlines the standard security practices that organizations handling protected health information (PHI) need to adhere to. Whether your business is compliant with the HIPAA or not can have a huge impact on how you handle your business. If you are non-compliant, you risk being involved in data breaches, which results in a domino effect. A single breach can lead to the loss of valuable customer data, expensive lawsuits, PR nightmares, and even the loss of your business.
Even without a data breach affecting your business, you still need to be compliant to be competitive in the health industry. Security-conscious businesses in the industry will only agree to do business with you as long as you are compliant. Lastly, compliance will help you evade fines from regulatory bodies as well as appearing on the wall of shame, which is a site that lists health-related organizations that have undergone data breaches. Lucky for you, as long as you commit to understanding HIPAA compliance, it will typically be quite easy for you to know what to do.
Here are some insights on managing HIPAA compliance for your business:
What To Expect?
If you are supposed to be HIPAA compliant, you will either be a covered entity or business associate. Covered entities are organizations that have direct access to the customer and their PHI (doctors, insurance companies, and pharmacies). Business associates, on the other hand, work with the covered entities in a non-healthcare capacity, and they have access to PHI. These can be lawyers, IT personnel, accountants, and administrators. Regardless of where you fall, you need to adhere to four HIPAA rules:
1. The Privacy Rule
This rule looks to protect the privacy of PHI. It outlines how and when actors in the health industry can and cannot use health data. The data it protects includes past, present, and future health information of protected individuals, payment data, the details of the care any individual was provided with, contact information, identifying numbers (ID and social security numbers), and even fingerprints.
2. The Omnibus Rule
The Omnibus rule outlines how business associates should carry themselves out and how they interact with the covered entity. Recent updates to this rule expanded the omnibus rule to storage companies, sub-contractors, and even consultants. It prohibits actors from using PHI for the wrong reasons such as marketing or using genetic information to underwrite insurance policies.
3. The Security Rule
The security rule is meant to control how businesses handle electronic Protected Health Information (ePHI). It requires businesses to have the right safeguards for protecting the confidentiality security and integrity of ePHI. These safeguards are divided into three, including: