Tina Greene, Senior Regulatory Affairs Consultant, Casualty Solutions Group, Regulatory Affairs and Compliance at Mitchell International.
The Administrative Simplification provisions of the Federal Health Insurance Portability and Accountability Act of 1996 (HIPAA, Title II) include requirements that national standards for electronic health care transactions be established. These standards were adopted to improve the efficiency and effectiveness of the nation’s health care system by encouraging the widespread use of electronic data interchange in health care.
In the final rule, it’s recognized that:
“Non-HIPAA entities such as workers’ compensation programs and property and casualty insurance accept electronic healthcare transactions from providers, however, the Congress did not include these programs in the definition of a health plan under section 1171 of the Act.
The statutory definition of a health plan does not specifically include workers’ compensation programs, property and casualty programs, or disability insurance programs, and, consequently, we are not requiring them to comply with the standards. However, to the extent that these programs perform healthcare claims processing activities using an electronic standard, it would benefit these programs and their healthcare providers to use the standard we adopt.”
“Health Insurance Reform: Standards for Electronic Transactions; Announcement of Designated Standard Maintenance Organizations; Final Rule and Notice.” Federal Register 65:160 (17 August 2000) p. 50319.
In an effort to realize the effectiveness of electronic data interchange, some states have adopted regulations requiring electronic healthcare transactions for billing and payment. Early implementers of EDI for workers’ compensation in various states identified issues such as payer ID (claim administrator identification), claim filing indicator code and claim number, and worked with stakeholders to find resolutions. These issues have since been addressed in industry standards.
Every day, physicians send and receive clinical information to and from patients, nurses, care managers, pharmacy technicians, specialty clinics and other physicians. These communications occur through a wide range of modes—including smart phones, pagers, CPOE, emails, texts and even messaging features within electronic medical records. Patient health information (PHI) is constantly exchanged through these messages, and to avoid a HIPAA violation, which can cost millions of dollars plus a hit to reputation, practices must make sure proper security features are in place.
Especially for physicians in smaller practices who are already strapped for time and resources, a HIPAA violation could leave their practice in a precarious situation. In fact, according to a recent study by the Ponemon Institute, the average cost of HIPPA breaches from 2010 through 2012 was $2.4 million per organization. To meet evolving guidelines around the quality of care, increase efficiency and potentially avoid financial penalties in the years to come, physicians must address communications security holistically.
The final HIPAA ruling requires physicians look at their entire risk management process, and not just specific technologies, which is why “HIPAA-compliant” text messaging isn’t yet possible. While texts are commonly sent between two individuals via their mobile phones, the “communication universe” into which a text enters is actually much bigger. This universe also includes creating electronic PHI (ePHI) and sending messages—in text and voice modalities—from mobile carrier web sites, paging applications, call centers, answering services and hospital switchboards.
The law stipulates that a covered entity – i.e. a physician, medical group practice, hospital or health system – must perform a formal risk assessment; develop and implement and effective risk management strategy based upon the findings in that risk assessment; implement the strategy using sound policies and procedures; and monitor its risk on an ongoing basis. These regulations apply to physicians creating, transmitting and receiving PHI in any electronic form.
While there is no “one-size-fits-all” approach, medical practices can take the following steps to improve the security of their communications:
Today’s healthcare system is becoming progressively technology dependent. With the need to meet meaningful use requirements, convert to ICD-10, or work with health information exchanges (HIEs), healthcare organizations must have effective IT solutions, but building and implementing one successfully is not an easy task.
Below is a list of 10 fundamentals of successful healthcare IT project implementation, management and execution that will help your organization, whether clinical, business, or IT, design and develop a functional, patient-centered IT solution that fits its needs. It’s easy to let the highly technical elements overwhelm healthcare IT projects, but following these guidelines will help your team focus on the delivery of care.
Plan
Develop your plan with a detailed project introduction, clear scope, deliverables, schedules, project methodology, roles and responsibilities, and change management procedures. Consult ISO 9001/13485/62385 for information on best practices for quality management systems.
Healthcare IT projects involve a lot of moving parts and many people from different professional backgrounds. Setting clear expectations that every project member agrees on will ensure a project runs efficiently. Meeting regulatory requirements, including meaningful use goals, is a crucial aspect of carrying out a successful healthcare IT project.
Set goals and objectives
Early on in the process, involve key players – clinical, business, and IT – in determining the goals and objectives of the project. Ask your team to agree on a definition of success. Depending on the project, involving patients may be valuable. A patient portal project is an ideal situation to solicit feedback from patients.
Adapt to changing objectives
Implement effective change management procedures to your plan to ensure that the project meets the goals on-time and within budget.
Change management is important in every project, in every industry. It is particularly important at this time in healthcare. Healthcare reform and government mandates, such as Meaningful Use, are ever-changing. Recently, the deadline for compliance with ICD10 was pushed back a year. If your organization was close to a switchover, ask your project team how those changing objectives impact your plan and your goals.
Doximity is the largest medical network with one in three U.S. physicians as members. Physicians use Doximity to instantly connect with other healthcare professionals, securely collaborate on patient treatment, grow their practices and discover new career opportunities.
Its vision is a future where medical communication is effortless — fast, simple, seamless and secure. Its mission is to “help physicians transcend the fragmented U.S. healthcare system and succeed in the care for their patients.”
Doximity was founded by Jeff Tangney, co-founder and former COO of Epocrates (EPOC), and launched in March 2011. Based in Silicon Valley, it’s backed by Emergence Capital Partners, InterWest Ventures, Morgenthaler Ventures (now Canvas Fund), Draper Fisher Jurvetson, T. Rowe Price and Morgan Stanley Investment Management.
Here, Alexander Blau, MD, vice president of physician marketing and medical director for Doximity — responsible for marketing and user acquisition teams oversees the development of clinical programs, including a socially curated medical literature filter and case-based discussion forums, manages the aggregation, analysis and product integration of diverse healthcare data in charting the first-ever nationwide clinical expertise map — discusses the company, its future and what he’s seeing from his perch.
Give us the short story on what you do and how you came to health IT?
My background is as an emergency physician. During my training, I was drawn to the latest in mobile health technology and eventually built my own app for medical interpretation. From that moment, I knew I was hooked on health tech. Three years ago, I joined Doximity to join a larger team to develop yet more tools that help doctors practice medicine every day.
Tell me about Doxmity. There’s been some press lately about how it’s really innovating the space. What are you doing that makes for such success? Care to share the secret sauce?
Doximity is the first health tech company really built for physicians — as opposed to hospital administrators, billing departments, etc. In just three years, we’ve grown to be the largest network of verified physicians in the US, thanks to our focus on what doctors truly need from technology. Our focus on doctors is the secret sauce.
What are some of the misconceptions you face? Obstacles you must overcome?
There’s a misconception that physicians aren’t technology savvy, which is absolutely not true. Doctors have been among the earliest adopters of all kinds of communication technologies starting with pagers and the first smart phones. When it comes to social media, doctors are necessarily skeptical about privacy and HIPAA compliance. The great thing is that Doximity is specifically built to address physician privacy requirements and enable them to communicate professionally on the mobile devices they rely on.
Guest post by Michele Hibbert-Iacobacci, CMCO, CCS-P, vice president, information management and client services, Mitchell International.
The International Classification of Diseases – 10th Revision, Clinical Modification and Procedural Coding System’s (ICD-10-CM/PCS) implementation in the United States is being delayed yet again. According to the latest polls and surveys, there are many organizations (most who need to use it) that were ready to roll with the new classification on October 1st 2014. The change came about because the Senate approved a bill (H.R. 4302) on March 31, 2014, that delays the implementation of ICD-10-CM/PCS by at least one year and then a subsequent official announcement by CMS announced a forthcoming interim final rule that would set the new compliance date for October 1, 2015.
How will this new implementation date affect Property and Casualty payers and providers? For an industry that was not required to change, P&C was ready to go – mainly because of the dependency on payments and bill processing. The question was, “Will we see ICD-9 and/or ICD-10?”
Fortunately, from a processing perspective the P&C industry was prepared for most anything. Payers were creating processing systems and/or contracting with vendors who considered all possibilities including bills submitted with both codes and the submission of ICD-9 codes well after effective dates. These payers also considered the compliance environment as most are guided at the state level.
As difficult as it may be to be ready for the effective date of ICD-10 just to have it changed, most aspects are positive for property and casualty. Additional time for testing, communication to providers and overall education (external/internal) enhances the readiness for the new date. The negative is the cost – staff has been added and enhanced with testers, educators and coders for the initial date. Maintaining staffing levels for a longer period of time was not accounted for in most budgets. The cost will be higher to implement now and many companies did not plan on the additional timeline.
So how will this shake out moving forward? Providers will likely react by submitting ICD-10 codes to P&C payers before the implementation date of October 1, 2015. Payers will need to make decisions on how they will handle these claims since P&C is not guided by the same rules under HIPAA as the health side. Some payers may decide to turn these claims back to providers and others will translate to ICD-9 for payment. Compliance standards, whereby a state has implemented mandates on the use of code sets that need to be addressed and/or revisited, may also impact the way payers process ICD-10 codes prior to October 1, 2015.
Guest post by Travis Good, M.D., CEO and co-founder of Catalyze, Inc.
Even if a bit delayed, the power and value of cloud-based technologies is starting to seep into healthcare. With each new cloud-based technology piloted or taken to scale by a healthcare organization, other institutions and corporations become more willing to roll the dice on deploying cloud-based technology. While still slow, it is happening, but not where you may think. Instead of found in the typical core applications of EHR or practice management systems, we find cloud-based technologies being introduced into the innovative health technology areas of virtual care delivery and patient self-reporting. Those areas are breaking down the barriers to cloud adoption in healthcare and that pace is increasing.
Cloud-based technology acceptance, along with everything else in the healthcare industry is moving faster than ever before. Accountable care, bundled payments, patient satisfaction, continuous care and the consumerization of healthcare are catalyzing changes to a very large, slow moving, highly regulated and risk averse industry. Technology and technology enabled services are essential for riding out these waves of change.
Every healthcare segment has seen these paradigm shifts and is trying to carve out a piece of the new pie. Large medical centers and health systems want to commercialize tools created in-house. Payers are building technology geared toward new forms of care delivery and price transparency, while biopharma is building technology to deliver continuous care powered by data from its core products – devices and medicines. All three of these healthcare segments can build technologies that utilize cloud computing and thus reap the following benefits:
A more nimble organization
Consumption of only the resources needed
Access to technology and apps across geographic barriers
Compliance and Cloud Computing
With recent changes to HIPAA that went into affect as part of the HITECH and HIPAA Omnibus Rule in 2013, a surge in compliance interest has developed, especially with compliance as it relates to cloud computing. The HIPAA Omnibus Rule created a new segment within the string of compliance leading back to covered entities. The new “subcontractor” segment is something of which every healthcare compliance officer must be aware. In much the same way as a business associate processes, transmits or stores ePHI for a “covered entity,” a subcontractor will also process, transmit, or store ePHI for “business associates.” And, subcontractors, like business associates, are required to sign business associate agreements (BAAs). These agreements outline the obligations of each party in meeting different aspects of HIPAA compliance rules, and delegate the risk based on different types of possible ePHI breaches.
In creating this new “subcontractor” entity, the Omnibus Rule accounted for the paradigm shift in technology development and cloud computing. The most commonly used example of a subcontractor is found in a cloud hosting provider like Amazon (AWS) or Rackspace; yet, many other types of services exist that could be considered subcontractors.
As data and services are being accessed via Web services (typically APIs), a huge number of BLANK-as-a-Service offerings have emerged. Many modern applications utilize third-party APIs for features and functionality to speed time-to-market, while adding value to users. Using simple to consume APIs, modern applications can tap into databases, messaging (SMS, Push, email or voice), usage metrics, logging, customer support, data sources, backup and so forth.
Guest post by Lysa Myers, security researcher, ESET
In my last post, I discussed the steps to performing a healthcare IT risk assessment. Once you’ve determined the risks within your environment, an important part of addressing those risks is to set up policies about acceptable use – formally known as Acceptable Use Policies (AUP) – for your staff members and then to train your staff accordingly.
The weakest link in most security chains is the human element, namely people thwarting protections put in place, intentionally or by mistake, or simply through lack of understanding. But how do you set up policies and train people if neither you nor the people on your staff are particularly security-savvy?
Trainings and Templates
If you’re starting at or near ground zero when it comes to information security knowledge, the first question to ask is: Would be better to train someone to become your security guru, or to simply improve overall knowledge within the organization and establish common-sense usage policies?
Unless you have someone in your organization who is dedicated to IT tasks, it may be difficult to mandate security training, but it’s wise to have a security-conscious person handling your infrastructure. At a minimum, when you train the rest of your staff on their security roles and responsibilities, your IT personnel should go through at least as much training: they will likely be in charge of setting up the protections that are to be used by the rest of the organization.
If you have a smaller healthcare organization, you can still create an AUP, without a security guru. In fact, having a less complex organization simplifies the definition process. In this case, something which is focused on healthcare and yet very simple, where you can “fill in the blanks” could be quite helpful: HealthIT.gov provides a template that could work well for smaller organizations.
Guest post by Egor Kobelev, software delivery manager — healthcare, DataArt.
There are a lot of organizational and technical challenges health information exchanges (HIEs) struggle with while trying to deploy and maintain their platforms. One of the most complex organizational and administrative challenges is to achieve sustainability. While that is often an ultimate goal for HIEs, there is a huge amount of smaller technical challenges to meet, and the way those challenges are responded to often makes a difference for future HIE sustainability.
One of those typical tasks in the industry is a patient look up and mapping. There is a well-known issue when it comes to any sort of health data integration – the lack of a global unique patient identifier. Thousands of existing healthcare providers and payers use their own internal identifiers and there is no easy way to establish a relation between these. Social Security Numbers or similar national identifiers, while useful in some of scenarios, are not suitable for the purposes of healthcare record identification, primarily because of the risks of HIPAA rules violation.
The good part of the story is the amount of talks regarding a National Patient Identifier (NPI). For instance, HIMSS is proactively driving the initiative of introducing NPI, so that eventually patient mapping, which is currently a challenge, will be routine. However, the reality is that we are pretty far away from having NPI legislated and deployed in healthcare organizations nation-wide. At the same time, as many as 8 percent to 14 percent of patient records have errors caused by mismatching patient identifiers, which in turn causes hundreds of millions of dollars in spending to repair and reconcile the records. So, while we are waiting for NPI to come, what would be a solution which is HIPAA compliant, provides high accuracy, throughput, and minimizes manual interventions at the same time?
