There are several regulatory compliance requirements that healthcare organizations must follow. Even so, it’s the Health Insurance Portability and Accountability Act (HIPAA) that gets the most recognition. If your organization is involved in the healthcare industry, you should ensure that it complies with the Health Information Technology for Economic and Clinical Health Act (HITECH) as well.
These two compliance requirements are somehow interrelated. However, HITECH is meant to enhance information technology in the healthcare industry while protecting the security and privacy concerns regarding ePHI. HITECH significantly modified HIPAA and the Social Security Act. Therefore, it can be difficult to understand how these regulatory compliance frameworks complement each other.
How HITECH And HIPAA Are Similar
HITECH and HIPAA compliance is overseen by the Health and Human Services Department (HHS). Typically, healthcare organizations tend to focus on HIPAA compliance since it is the backbone of the Privacy Rule that sets national standards regarding PHI and medical record protection. The Privacy Rule was adopted in 2000. Since then, HHS has only made one modification. That was in 2002 when the Privacy Rule was modified to become one of the initial information privacy and security regulations.
The Office of the National Coordinator for Health Information Technology (ONC) is mandated to promote the quality of healthcare by advancing health IT. ONC is also tasked with the role of securing ePHI and establishing procedures for electronic health records (EHRs) to promote privacy.
Therefore, while HITECH and HIPAA complement each other, they are dissimilar. HITECH focuses on information technology as well as the preservation of electronic information, whereas HIPAA dwells on protecting privacy as well as expanding beyond information systems.
How HITECH And HIPAA Differ
Although HITECH and HIPAA have many similarities, the two regulations also differ on various vital details. HITECH was meant to expand HIPAA. Even so, the latter remains focused on addressing privacy and breach notification issues to protect against identity theft and fraud. On the other hand, HITECH differs from HIPAA because it established restructured criminal and civil compliance penalties. Furthermore, HITECH extended HIPAA’s breach notification requirement beyond covered organizations also to include business associates.
From an IT perspective, compliance managers ought to focus on the significance of robust encryption. In case malicious actors breach the ePHI, effective encryption will mitigate rule violations. Therefore, if the encryption makes the information unreadable, the organization won’t be fined. Nonetheless, proving effective encryption means complying with the NIST Federal Information Process Standard. Therefore, healthcare regulatory compliance can only be realized if you fully understand your organization’s IT infrastructure.
In a new survey conducted by Kareo, independent medical practices and billing companies shared the unprecedented challenges created for them and their patients by the coronavirus pandemic. More than 600 medical practices and 140 medical billing companies were interviewed by Kareo in late March.
The research uncovered the immediate actions medical practices and clinics are taking to ensure patient access to care through telemedicine solutions with 75% reporting either a current telemedicine option or the intent to deploy one soon. The survey also highlighted the risks to patients and independent medical practices with 9% of respondents reporting practice closures with many more concerned about potential practice closures as patient office visits plummet due to “stay at home” orders and other concerns. As Kareo was publishing these survey results, the Coronavirus Aid, Relief and Economic Security (CARES) Act was signed into law, potentially providing a lifeline to the most severely impacted medical practices.
By mid-March, independent healthcare professionals were already facing the practice and personal impacts of the coronavirus pandemic, with 28% of practices only offering telemedicine visits and 9% of practices already closed, with many more concerned about the risk of future closure. While 63% of practices were still delivering on-site care, most of these practices were exploring options to move to hybrid or exclusively telemedicine-based care.
Kareo’s ongoing analysis of actual patient encounters across over 50,000 medical providers, found that by late March independent medical practices has experienced an approximately 35% decline in patient volume, raising alarm around both the apparent inability for patients to access care and the operational viability of medical practices if this trend continues.
Kareo’s research also highlighted the impact felt by the more than 5,000 medical billing companies across the country, with these service providers reporting immediate impacts on their businesses due to precipitous decline in medical practice patient volume. These companies play a critical role in the healthcare ecosystem by providing medical billing expertise that is essential for the financial viability of many independent medical practices. Financial risk to these service providers creates another risk for medical practices to manage as practice volumes ultimately return to normal.
To address “stay at home” orders and patient concerns about face-to-face medical encounters, healthcare professionals have rapidly turned to telemedicine solutions. By mid-March, fully 41% of independent medical practices reported offering telemedicine, up from 22% reported in Kareo’s State of the Independent Practice Report in late 2018.
An additional 34% reported current efforts to deploy telemedicine options, which ultimately will result in the vast majority (75%) of medical practices providing remote care solutions. In the third week of March, Kareo saw a 500% week-over-week increase in telemedicine visits while working to accommodate an over 3,000% increase in telemedicine adoption.
The easing of regulatory requirements related to telemedicine security and functionality allowed medical practices to access a broader set of possible telemedicine solutions, ranging from medically-specific options like Kareo Telemedicine that are HIPAA compliant and fully integrated with the broader patient engagement, electronic health record, and billing technology platform all the way to general video call technology such as Apple FaceTime. Easing Medicare, Medicaid and commercial insurance reimbursement requirements for telemedicine also supported the rapid pivot to virtual-care and are essential in supporting the financial viability of medical practices and their supporting medical billers.
“Independent medical practices stand as the cornerstone of the U.S. healthcare system and are responsible for more than two-thirds of annual patient visits,” said Dan Rodrigues, founder and CEO of Kareo. “Yet our research shows that even doctors are not immune to the economic impact of the coronavirus pandemic. Telemedicine and the CARES Act provide critical lifelines to ensure independent practices remain available to their patients through this crisis.”
There are several government programs that practices can take advantage of to ease financial burdens and maintain their current staff levels. Small business loans, tax relief, Medicare payment advances and grants are a few of the options currently available. In combination, these programs can help ensure that independent medical practices and clinics emerge from the COVID-19 pandemic with minimal damage to the long-term viability of their business.
The CARES Act expands eligibility for loans under Section 7(a) of the Small Business Act and authorizes the Small Business Administration to make $349 billion in Section 7(a) loans. The CARES Act also offers an employee retention tax credit (Employee Retention Credit) designed to encourage eligible employers to keep employees on their payroll. The Centers for Medicare & Medicaid Services (CMS) has expanded their current Accelerated and Advance Payment Program to a broader group of Medicare Part A providers and Part B suppliers. Details on the eligibility, and the request process are outlined in the Expansion of the Accelerated and Advance Payment Program fact sheet. The expansion of these programs is also only for the duration of the public health emergency. For more information on resources available to help with the COVID-19 crisis, visit Kareo.com/covid-19.
The healthcare industry is ripe for disruption and transformation. According to McKinsey & Company, U.S. pharma is “in a state of flux.” Seismic shifts are happening, from significant merger and acquisition (M&A) activity to pharmacy store closures to changes in strategic partnerships between major health insurers and pharmacy benefit managers (PBMs), and the seemingly inevitable entry of Amazon into the market. Moreover, the healthcare ecosystem continues to face challenges as it attempts to comply with regulations like HIPAA and HITECH.
During this period of change, McKinsey’s research establishes three imperatives for healthcare businesses to consider. The first is to pursue business models that deliver a lower total cost of care for consumers and employers. The second involves leveraging data aggregation and big data analytics to generate insights and create value, and the third is to put the consumer at the center of everything by creating innovative ways to bring more consumer-driven insights and actions into the business.
The growth in digital health indicates that many businesses are acting on these imperatives and are finding commercial success. The digital health sector currently is estimated at $86.4 billion and is predicted to grow by almost 30 percent year-over-year through 2025. But with such a vast and complex industry like healthcare, it is challenging to appreciate the realities of digital disruption without drilling down into specific sub-sectors and profiling some of the disruptors that are in the process of altering their landscapes.
Following are some examples of how the “value pool” is shifting in this industry, resulting in cost savings for patients through the elimination of waste.
Pharmacy benefit management value pool shifts by removing inefficiencies
Pharmacy benefit management (PBM) includes third-party administrators for prescription drug programs at insurance companies, businesses, self-insured employers and government health plans. PBMs have a vast market valuation of $368 billion, as of 2018, within the U.S. healthcare system and an expected annual growth forecast of more than 9 percent.
Despite the size of the market, however, many PBMs do not have the technical sophistication to flourish in the digital world, which has given rise to companies such as RxSense. Previously a PBM, RxSense pivoted to meet the real-time needs of customers by providing a business-to-business (B2B) digital platform for the whole PBM industry. Its goal is to bypass problems with legacy PBM systems, including a lack of innovation, inefficiencies, inflexibility and challenges around accuracy and transparency.
The next step beyond digitization for players such as RxSense will be the application of artificial intelligence (AI) and machine learning technologies to further increase administrative efficiency, drive down costs and, ultimately, improve clinical outcomes.
It’s perhaps the greatest gift a person can have, but we usually take it for granted until it’s gone. Without it, nothing else in life is quite the same. And once it’s gone, it can be very hard to get it back. And while patients play the ultimate role in safeguarding and directing their health, the truth is that no one can do it alone. No matter what your role in the healthcare industry may be, you are charged with a sacred obligation to treat your patients with respect, honor, and care.
No matter who our patients are — rich or poor, young or old, sick or well — they depend on healthcare experts to help them protect this most precious gift of health. They expect and assume that those whom they entrust with their lives and the lives of those they love will be respectful of that trust, will care for them and their dear ones ethically and honorably. But what does this mean for your clinical practice? What do healthcare ethics look like in the year 2020?
Honoring the Human in the Technological Age
Privacy is one of the most sacred rights and significant concerns in healthcare. However, there’s no escaping the fact that we live in the era of big data, and there’s also no escaping the fact that big data can be a tremendous asset in healthcare. Even if a patient is thousands of miles away from home and from their primary healthcare providers, electronic health data can facilitate the sharing of essential medical records, from scans to lab results, with just the click of a button.
But how, in this age of big data and breathtakingly fast technological evolution do we ensure that respect for the human is not lost? How do we avoid reducing individual patients to a mere system of lab results and scans? How do we prevent losing the person in a sea of data sets? That will and must be one of the principal ethical considerations in 2020.
The HIPAA outlines the standard security practices that organizations handling protected health information (PHI) need to adhere to. Whether your business is compliant with the HIPAA or not can have a huge impact on how you handle your business. If you are non-compliant, you risk being involved in data breaches, which results in a domino effect. A single breach can lead to the loss of valuable customer data, expensive lawsuits, PR nightmares, and even the loss of your business.
Even without a data breach affecting your business, you still need to be compliant to be competitive in the health industry. Security-conscious businesses in the industry will only agree to do business with you as long as you are compliant. Lastly, compliance will help you evade fines from regulatory bodies as well as appearing on the wall of shame, which is a site that lists health-related organizations that have undergone data breaches. Lucky for you, as long as you commit to understanding HIPAA compliance, it will typically be quite easy for you to know what to do.
Here are some insights on managing HIPAA compliance for your business:
What To Expect?
If you are supposed to be HIPAA compliant, you will either be a covered entity or business associate. Covered entities are organizations that have direct access to the customer and their PHI (doctors, insurance companies, and pharmacies). Business associates, on the other hand, work with the covered entities in a non-healthcare capacity, and they have access to PHI. These can be lawyers, IT personnel, accountants, and administrators. Regardless of where you fall, you need to adhere to four HIPAA rules:
1. The Privacy Rule
This rule looks to protect the privacy of PHI. It outlines how and when actors in the health industry can and cannot use health data. The data it protects includes past, present, and future health information of protected individuals, payment data, the details of the care any individual was provided with, contact information, identifying numbers (ID and social security numbers), and even fingerprints.
2. The Omnibus Rule
The Omnibus rule outlines how business associates should carry themselves out and how they interact with the covered entity. Recent updates to this rule expanded the omnibus rule to storage companies, sub-contractors, and even consultants. It prohibits actors from using PHI for the wrong reasons such as marketing or using genetic information to underwrite insurance policies.
3. The Security Rule
The security rule is meant to control how businesses handle electronic Protected Health Information (ePHI). It requires businesses to have the right safeguards for protecting the confidentiality security and integrity of ePHI. These safeguards are divided into three, including:
Dental hygiene related apps have been a feature of the medtech world for a few years, but only now are they permeating professional dental care. Forbes has noted the trickle of algorithm-led dentistry into clinics, and is now predicting that digital dentistry will become a key component of everyday practice. For many patients and clinics alike, these new developments will enable greater levels of care.
Involvement in daily habits
The key to healthy teeth is good habits. As noted by clinicians at the experienced Gresham emergency dentist, Main Street, education into how to keep teeth clean and what foods to avoid will do much of the work without individuals needing to visit a professional. When the patient returns home is where the hard work begins. Increasingly, dentists are using apps that combine with smart technology, such as the toothbrush, to gain an all-in picture of patients and their habits. According to the New York Times, these platforms are becoming increasingly common, and will become standard practice within years.
Improving clinic efficiency
With the connection to patients made, startups have found ways in which to further develop technology’s role in the clinic. Most recently, Tech Crunch reported that developers VideaHealth have introduced a software suite that can help dentists to look into key signs of dental disease, and in some cases even cancers, such as misshaping of the mouth and throat. Using sophisticated imaging technology within peripherals or the toothbrush, this is ultimately improving efficiency in the dentist clinic – and keeping costs down.
Using big data
Data sharing has always been a sticky subject in the medical world. Measures like GDPR and HIPAA, while initially causing consternation and some frustration, have ultimately cleared the lines on what can and what can’t be shared, and how. As a result, big data is now there for use in medical applications, including dentistry. According to Dentistry IQ, this will enable dentist clinics to pull data from a staggering range of sources and improve patient outcomes.
Developments in technology have had a profound impact on nearly every aspect of our lives. We can hardly get through an hour without tech having an effect on what we’re doing, let alone a full day. From the morning alarm on our smartphones, to the Bluetooth sound system in our cars, to the social media accounts we share everything on, technology surrounds us.
Perhaps one of the aspects that many of us think the least about is how it has utterly transformed the way we manage our healthcare data. The development of electronic health records and, even more importantly, the cloud, have brought about all sorts of changes. Many have the potential to impact our lives in both positive and negative ways depending upon how they are managed.
When it comes to our health data, there is an added urgency in making sure everything is safe and secure no matter where it is ultimately stored. Well managed data can mean a more efficient and effective healthcare service, while mismanaged data can lead to the loss of personal information and an unraveling of the privacy most of us have come to expect in a professional healthcare setting.
Medical Records, HIPAA and the Cloud
In 1996, the United States government passed HIPAA, a landmark healthcare act that helped to create and enforce privacy and data security requirements associated with medical information. The act has since been expanded in an effort to keep up with modern technologies, and nearly everyone involved in the healthcare system is expected to follow the rules. Because of this legislation, one can expect that their medical records will be kept private unless they choose to release them, no matter where they are stored.
Cloud-based data storage and technology provides numerous benefits to the healthcare system including things such as better dataset analysis, improved efficiencies in individual patient care, and a much lower cost. However, it can also lead to a number of concerns, especially when it comes to HIPAA compliance. HIPAA rules not only apply to the medical facilities that are using cloud technology, but also to the tech vendors as well.
Unfortunately, just because cloud technology providers are not exempt from HIPAA rules, does not mean that they necessarily follow them. There is no real certification process and the government doesn’t exactly clear companies to work with healthcare organizations. It is completely up to the healthcare entity and the tech provider to make sure their services are meeting the necessary HIPAA standards.
Loopholes in the System
It may come as somewhat of a surprise to both patients and healthcare providers to learn that there are popular new aspects of medicine and technology that aren’t necessarily covered by HIPAA regulations. For instance, HIPAA does not cover anonymized data such as the data that is collected during genetic testing. Essentially, this allows for a patient’s anonymous information to be shared at will.
Today, the average cost of a healthcare data breach is $429 per record. When organizations factor in the loss of productivity, the amount of civil complaints and fines levied, plus the public relations besmirching, the cost implications skyrocket. In 2018, the Department of Health and Human Services Office of Civil Rights concluded a record year in HIPAA enforcement activity – 10 settlement cases and one judgment totaled a whopping $28.7 million.
Though every industry is susceptible to cyberattacks, healthcare has experienced the largest growth in attacks over the years because patient records, insurance information, and social security numbers are more valuable on the dark web. Unfortunately, legacy systems may to be blame for the uptick in cyberattacks. Forescout researchers determined 53% of common medical devices are still operating on traditional, legacy platforms.
Legacy systems, insufficient access controls, and the proliferation of medical IoT devices have created security vulnerabilities that leave hospitals wide open to cyberattacks. Research from Vectra found that the majority of legacy systems are unsecured because healthcare organizations simply can’t afford the amount of downtime that patching requires.
To guarantee that unstructured data is transmitted securely, healthcare organizations must extend their analog fax machines to a hybrid-cloud network that is HIPAA complaint and provides end-to-end encryption, two-factor authentication, and direct faxing capabilities.
By leveraging the cloud and delivering all faxes via HTTPS, outdated fax boards, media gateways, and the complex telephony stack are eliminated. Unlike a legacy analog fax infrastructure, hybrid cloud technology can ensure that time-sensitive protected health information (PHI) are delivered within seconds with high-resolution, near-diagnostic image quality, and the highest levels of encryption. The accessibility of fax, coupled with the scalability of the cloud, ensures the exchange of PHI among the healthcare ecosystem is protected. This allows patients to receive high-quality care without compromising their personal information.
By Dan Potter, vice president of product marketing, Attunity, a division of Qlik.
Data is the lifeblood of every hospital and healthcare organization. Without it, doctors can’t access updated patient records for proper treatment; billing departments are unable to correctly process insurance claims; and research teams are limited in their ability to uncover new findings. Today there are issues with both data availability and access to the right information, for all users in a governed HIPAA compliant structure, that keeps healthcare organizations from effectively scaling the use of data to impact lives.
Data analytics is often discussed as a key element because of its potential to uncover insights that improve operations while also increasing care quality and efficiency. In today’s world of tight budgets and rising costs, its essential that organizations maximize staff time allocated to care and minimize costs. However, even if a hospital provides access to all its data, a lack of data literacy – an individual’s knowledge on how to use and analyze data – could limit data’s effectiveness towards improving care and operations.
Healthcare organizations must find a data cure that will address both data challenges: access to and use of information. The emerging methodology known as DataOps addresses both issues.
DataOps is a new approach to agile data integration that looks at the challenge from a holistic perspective of people, process and technology. It focuses on improved collaboration and automation of data flows across an organization. When done correctly, it results in an overall data set of processes that help the organization manage and use their data in real time to transform patience care and experience.
Fighting the Data Access Challenge
As the amount of data increases daily, one of the biggest issues is how to capture and manage it all efficiently. For healthcare this includes allowing appropriate real time access for all users to that data for analytics – while keeping it protected in accordance with HIPAA. One of the first steps is implementing modern data architectures that can handle the growing data volume. Open architectures based on hybrid and multi-cloud provide the greatest efficiency along with agility to improve patient care and increase operational efficiencies.
Home health agencies need to be able to access and share PHI while they are on-the-go – often while using their smartphones or tablets. It’s critical that these types of communication are both fast and secure. However, many home health agencies allow staff to use text messaging when sharing patient data with each other, colleagues, or the patients themselves.
Text isn’t always best despite its popularity for convenient communications. Agencies might be more at risk than they think if staff members are texting each other information about patients. And, free consumer group messaging apps utilize vulnerable platforms which are unable to address health care-specific needs in terms of security and compliance.
An agency places itself and its patients at risk when sending ePHI via unencrypted text messaging. Traditional texting may not meet security or compliance requirements set forth under HIPAA. The HIPAA Journal indicates that the fine for a single breach of HIPAA can be anything up to $50,000 per day the vulnerability responsible for the breach is not attended to. Organizations which text in violation of HIPAA can also face civil charges from the patients whose data has been exposed if the breach results in identity theft or other fraud.
Immediacy, privacy and trust are key when communicating PHI among agency clinicians and the broader care team (e.g., the referring physician, a specialist, a pharmacist, etc.). For example, the patient or the field nurse can snap a picture of a patient’s wound and then send it securely to the wound care specialist for his/her recommendation. A wound care specialist can make a decision remotely – saving drive time and expenses – and immediately provide assistance to the field nurse.
Decision-making is accelerated, helping patients receive timely care and assistance. Staff productivity is optimized, helping the agencies better leverage specialists across a larger number of cases. ER visits and re-admissions are reduced, helping enhance patient satisfaction and outcomes.
With secure messaging functionality, home health staff members can easily and securely communicate and collaborate with colleagues, their patients and family caregivers, and with other care team members such as the referring physician or another specialist. HIPAA-compliant secure messaging is critical to securing ePHI in staff-to-staff and staff-to-patient communications.