Guest post by Mohan Balachandran, co-founder and president, Catalyze.
As we look back upon 2015, we can reflect, review and based on that and other factors, make some predictions about what next year will bring us. John Halamka had an interesting post that reflect on the bigger challenges, such as ICD-10, the Accountable Care Act and its implications on data analytics, the HIPAA omnibus rule and its impact on cybersecurity and audits and the emergence of the Cloud as a viable option in healthcare. We can expect to see some of these trends continue and grow in 2016. So based on these key learnings from 2015, here are a few predictions for 2016.
Cybersecurity will become even more important
In 2015, insurers and medical device manufacturers got a serious wake up call about the importance and cost of cybersecurity lapses. Healthcare data will increasingly be looked at as strategic data because we can always get a new credit card but since diagnoses cannot change, the possibilities of misuse are significant. Just as the financial industry has settled on PCI as the standard, expect the healthcare industry to get together to define and promote a standard and an associated certification. HITRUST appears to be the leader and recent announcements are likely to further cement it as the healthcare security standard. Given all that, one can safely expect spending on cybersecurity to increase.
IoT will get a dose of reality
The so-called Internet of Things has been undergoing a boom of late. However, the value from it, especially as applied to quantifiable improvement in patient outcomes or improved care has been lacking. Detractors point out that the quantified-self movement while valuable, self selects the healthiest population and doesn’t do much to address the needs of older populations suffering from multiple chronic diseases. Expect to see more targeted IoT solutions such as that offered by those like Propeller Health that focus on specific conditions, have clear value propositions, savings, and offer more than just a device. Expect some moves from Fitbit and others who have raised lots of recent cash in terms of new product announcements and possible acquisitions.
Lightning Bolt invests heavily in research and software development to solve complex problems in the area of medical staff scheduling.
Lightning Bolt is the leading provider of automated physician scheduling for hospitals around the world. The company manages more than 3 million physician hours each month, helping to create shift schedules that promote work-life balance, productivity and patient safety.
Lightning Bolt’s cloud-based scheduling platform helps hospitals create dynamic staff schedules with a few clicks, automatically optimizing hundreds of complex scheduling rules. Physicians are able to request time-off and shift changes through the platform, creating transparency and a fair system that balances staff needs. The system also includes HIPAA-compliant messaging and detailed analytics.
Working as a staff scientist at the Los Alamos National Laboratory to schedule massively parallel supercomputers in 1998, Lightning Bolt founder Suvas Vajracharya, Ph.D. was approached by a high school friend, a doctor, for help with a big frustration. The doctor noticed that the seemingly simple task of creating call schedules for his group was deceptively complex, time consuming, and often proved an inaccurate science where equitable distribution of staffing resources, or the honoring of individual physician requests, would often conflict or simply could not be met.
Suvas saw that his own technology experience with scheduling supercomputers could provide the foundation for creating an elegant, easy to use solution to solve the inherent complexities in medical staff scheduling. Both supercomputing and medical staff scheduling share fundamental requirements, including the need to distribute tasks equally and efficiently in the presence of complex and often changing rules with varying priorities. Within a few months, Suvas developed a prototype scheduling system to tackle his friend’s challenging problem and Lightning Bolt was born.
The company’s growth has largely been through word-of-mouth between physician executives and hospital operations leaders who have discovered the software and become loyal customers. Lightning Bolt also attends several industry events each year, including HIMSS, MGMA and RSNA.
The vast majority of physician scheduling is still done manually today at America’s 5,700 hospitals. There are emerging players in the space of automated scheduling but nowhere near as established as Lightning Bolt. The company is part of a growing sector of hospital operations technology, including companies such as Silversheet, Modio Health, HealthLoop and AnalyticsMD.
How does your company differentiate itself from the competition
Lightning Bolt is the only platform that considers significant and complex relationships to auto-generate the best possible schedules for large medical organizations. Also, they are the only scheduling system that provides transparency across a healthcare workforce. Since manual scheduling using spreadsheets or paper is the largest competitor, Lightning Bolt’s biggest differentiators tend to be time and efficiency. In one case study, iNDIGO Health Partners generated a $38M ROI over 5 years by switching from manual to automated scheduling with Lightning Bolt.
More and more healthcare practitioners are turning to social media to disseminate health related information and communicate with customers and others in their field. However, healthcare practitioners should pay close attention to the information that they share out there to ensure that they comply with HIPAA Security Rule. Here are a few guidelines to assist you in implementing a social media strategy that complies with HIPAA standards.
What is HIPAA?
First, let’s begin with a basic understanding of the law. The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a federal law mandating the non-disclosure of private and personal patient information by healthcare professionals and their business associates. The exception to this rule is that the patient’s information can be shared internally within the confines of the hospital between doctors and healthcare professionals, or between the hospital and the insurance company for payment purposes. Unless the patient voids the non-disclosure, their information has no place outside of the databases of both the hospital and the insurance company.
Guidelines for remaining HIPAA compliant
An accidental error in the information that has been shared on social media can mean that HIPAA compliance has been inadvertently violated. While the mistake may not be on your part, it could mean a host of problems for you, your business, and your reputation. Staying cautious about the information that is disseminated through your organization’s Facebook, Twitter, or other social media pages is significantly important to your career.
Seek patient consent before you post anything – Before you write about a case, seek your patient’s consent. Confidentiality is a fundamental aspect of the relationship you share with those who have sought your professional assistance. Acquiring prior consent should never be overruled, regardless of whether your client’s identity has been omitted from the information you shared online.
Inform before you engage – Some patients are less private about their medical conditions, and would like to communicate with you through social media. You should attempt to take the conversation into the privacy of your workplace. If your patient persists on an online dialogue, inform them of the risks associated with revealing personal information online, then acquire the patient’s consent before communicating through social media.
Guest post by Pawan Sharma, director of operations for healthcare at Chetu.
Healthcare is quickly adapting to the digital environment by leveraging web-based technologies, electronic health records (EHR) and mobile devices to facilitate the movement of information. With innovative software technology comes great responsibility. One of the unfortunate downsides to increasing the use of technology for data sharing in the healthcare world is the risk of data falling into the wrong hands. Full measures need to be put in place to protect patient’s Protected Health Information (PHI). The Health Insurance Portability and Accountability Act (HIPAA) mandates that all PHIs be secured. Any breach, if not handled appropriately under established procedures, can lead to grave consequences including heavy penalties, jail time, or both. Needless to say that proper mechanisms need to be implemented to secure data while it is stored, transmitted and consumed.
Understanding Regulatory Standards
Knowledge is power. It is paramount that software providers look for back-end development partners that have Healthcare IT experience. This includes extensive knowledge and proficiencies with federal regulations like American Recovery and Reinvestment Act (ARRA), meaningful use stage 1 and 2, Accountable Care Act, etc. Also, regulatory health information exchange (HIE) standards such as Health Level 7 (HL7), Health Information Exchange Open Source (HIEOS), Fast Healthcare Interoperability Resources (FHIR), Consolidated-Clinical Document Architecture (C-CDA), Continuity of Care (CCD/CCR) as well as clinical and financial work flows.
With information traveling over a network it may be subject to interference. Hence, it is important that data be encrypted in transit. Vendors must include encryption technology to prevent disclosure of patient health information while data is communicated between the application and the server. Web traffic must be transmitted through a secure connection using only strong security protocols such as Secure Sockets Layer (SSL) or Transport Layer Security (TLS). SSL/TLS certificates are light weight data files that are purchased and installed directly onto the server. Once implemented, a user will be able to connect to the web-based application server via a secure tether with an internet browser.
Organizations have been keen on securing networks and internal infrastructure from external threats. With this in mind, malicious entities are looking to breach data at the application level. Healthcare software proprietors must protect their application from security threats by employing hardening tactics, which shields bugs and vulnerabilities in the coding. This technique primarily includes code obfuscation. Code obfuscation is the act of intentionally creating obscure source code to make it difficult for entities to decipher. Properly employing this tactic hinders a threats ability to reverse engineer and tamper with an application to facilitate a breach.
Guest post by Lucy Doyle, Ph.D., vice president, data protection, information security and risk management, McKesson, and Karen Smith, J.D.,CHC, senior director, privacy and data protection, McKesson.
Today there are opportunities and initiatives to use big data to improve patient care, reduce costs and optimize performance, but there are challenges that must be met. Providers still have disparate systems, non-standard data, interoperability issues and legacy data silos, as well as the implementation of newer technologies. High data quality is critical, especially since the information may be used to support healthcare operations and patient care. The integration of privacy and security controls to support safe data handling practices is paramount.
Meeting these challenges will require continued implementation of data standards, processes, and policies across the industry. Data protection and accurate applications of de-identification methods are needed.
Empowering Data Through Proper De-Identification
Healthcare privacy and security professionals field requests to use patient data for a variety of use cases, including research, marketing, outcomes analysis and analytics for industry stakeholders. The HIPAA Privacy Rule established standards to protect individuals’ individually identifiable health information by requiring safeguards to shield the information and by setting limits and conditions on the uses and disclosures that may be made. It also provided two methods to de-identify data, providing a means to free valuable de-identified patient level information for a variety of important uses.
Depending on the methodology used and how it is applied, de-identification enables quality data that is highly useable, making it a valuable asset to the organization. One of the HIPAA- approved methods to de-identify data is the Safe Harbor Method. This method requires removal of 18 specified identifiers, protected health information, related to the individual or their relatives, employers or household members. The 18th element requires removal of any other unique characteristic or code that could lead to identifying an individual who is the subject of the information. To determine that the Safe Harbor criteria has been met, while appearing to be fairly straightforward and to be done properly, the process requires a thorough understanding of how to address certain components, which can be quite complex.
The second de-identification method is the expert method. This involves using a highly skilled specialist who utilizes statistical and scientific principles and methods to determine the risk of re-identification in rendering information not individually identifiable.
We need to encourage and support educational initiatives within our industry so more individuals become proficient in these complex techniques. At McKesson, we are educating our business units so employees can better understand and embrace de-identification and the value it can provide. This training gives them a basic understanding of how to identify and manage risks as well as how to ensure they are getting quality content.
Embracing Social Media and New and Improved Technologies
One of the challenges we face today in de-identifying data is adapting our mindset and methodologies to incorporate new emerging technologies and the adoption of social media. It is crucial to understand how the released data could potentially be exposed by being combined with other available data. New standards are needed.
While de-identifying data can be challenging and complex, the task is made easier when we remember and adhere to our core directive to safeguard data. With this in mind incorporating new technologies is part of an ongoing process of review.
When done properly, de-identification enables high quality, usable data, particularly when the expert method is used. De-identification should not be viewed as an obstacle to data usage, but rather as a powerful enabler that opens the door to a wealth of valuable information.
Guest post by Chris Strammiello, Vice President of Global Alliances & Strategic Marketing, Nuance.
The growing use of smart devices at the point of care exacerbates the dual, yet contradictory, challenges confronting hospital IT directors and compliance officers: Making patients’ health information easier to access and share, while at the same time keeping it more secure.
A major problem is that there are just too many touch points that can create risk when sharing protected health information (PHI) inside and outside of the hospital. In addition to securing communications on cell phones, tablets and laptops, these tools can send output to smart multi-function printers (MFPs) that not only print, but allow walk-up users to copy, scan, fax and email documents. This functionality is why the Office of the National Coordinator for Health Information Technology now defines MFPs as workstations where PHI must be protected. These protections need to include administrative, physical and technical safeguards that authenticate users, control access to workflows, encrypt data handled on the device and maintain an audit trail of all activity.
Accurate, Effective and Secure Use of Patient Information at Point of Care
Hospitals need to adopt an approach that automatically provides security and control at the smart MFP from which patient information is shared and distributed. This approach must also support the use of mobile computing technologies, which are helping to bring access to patient information and electronic health records (EHR) to the point of care. Advanced secure information technology and output management solutions can help hospitals protect patient health information as part of achieving HIPAA-compliant use of PHI with software by adding a layer of automated security and control to both electronic and paper-based processes. These solutions can minimize the manual work and decisions that invite human error, mitigate the risk of non-compliance and help hospitals avoid the fines, reputation damage and other costs of HIPAA violations and privacy breaches.
With this approach, vulnerabilities with capturing and sharing PHI are reduced with a process that ensures:
Authorization — only authorized staff can access specific devices, network applications and resources with password or smartcard based authentication. Network authentication is seamlessly integrated with the document workflow and to ensure optimal auditing and security, the documents containing PHI are captured and routed to various destinations such as email, folders, fax and EHR systems.
Authentication — user credentials must be verified at the device, by PIN/PIC code, proximity (ID), or by swiping a smart card access documents containing PHI. Once authenticated, the solution controls what users can and cannot do. It enables or restricts email or faxing and prohibits documents with PHI from being printed, faxed or emailed.
Encryption — communications between smart MFP’s and mobile terminals, the server and destinations, such as the EHR, are encrypted to ensure documents are only visible to those with proper authorization.
File destination control — simultaneously monitors and audits the patient information in documents, ensuring PHI is controlled before it is ever gets to its intended destination.
Content filtering — automatically enforces security policies to proactively prevent PHI from leaving the hospital by filtering outbound communications and intercepting documents – rendering misdirected or intercepted information unreadable to unauthorized users.
Electronic protected health information (ePHI) is patient information that is protected under the Health Insurance Portability and Accountability Act (HIPAA). HIPAA compliance is a complex and confusing topic, and it only gets more daunting when it comes to communication between providers and patients. If you are sending protected health information over email as a healthcare organization or a healthcare organization’s business associate, HIPAA compliance applies to you. With fines for breaches that can land upwards of a million dollars, it’s a subject that is not to be taken lightly by any organization. Let’s take a moment to settle the score on the myths and facts revolving around ePHI and HIPAA-compliant emails.
Myth: All email is HIPAA-compliant
This is a dangerously false assumption. It may come as a surprise that most free email services are not HIPAA-compliant. This includes big players such as Yahoo!, Gmail, and Hotmail. No, ePHI should never be sent through these systems. If you must send ePHI to run your business, seek out an email provider that specializes in HIPAA compliance and is specifically geared towards protecting you and the patient data that flows through your organization.
Myth: My business is too small to worry about HIPAA
Practices and organizations of all sizes get hit with HIPAA violation fines – no one is exempt. HIPAA regulations apply across the board, regardless of the size of your business. Penalties for not being compliant can range from a simple slap on the wrist to a fine of $100 per email that contains ePHI sent through an unencrypted avenue. HIPAA compliance is everyone’s responsibility, and no business is too small to suffer a surprise audit that results in business-crushing fines. Protect yourself up-front by adhering to HIPAA guidelines, and you won’t find your business under the gun for non-compliance.
Myth: Any email with PHI must have encryption
If emails are sent in-office over a secure network, encryption over e-mail is not necessary. But once that email is sent out of the office over a wide area network, or through the internet, encryption is a must.
Myth: The recipient must have encrypted email
The majority of patients use a free, non-encrypted email host. According to the HIPAA Omnibus Rule, patients have the right to request that their ePHI be sent to them via an unsecured email system. Many secure email systems can send secure messages to people without secure email – and that can be okay. But it’s important to document that request from the patient and also to inform them that when using unsecured email and waiving their right to receive their ePHI privately, they inherit the risk of a potential security breach. Documentation protects you from future accusations of negligence.
Last fall, the provisions governing Business Associate Agreements under the HITECH law went into effect. Many covered entities used templates and models offered by professional societies and the Department of Health and Human Services, but it’s becoming increasingly clear that the “model” agreements were simply a stopgap measure, and that organizations that use BAAs need to conduct ongoing reviews of the documents and customize the language to meet the individual needs of their company.
The need for ongoing reviews to business associate agreements stems from an increased focus on compliance, and audits from the Office of Civil Rights (OCR) in DHHS. In the past, HIPAA compliance audits were limited to specifically covered entities, such as doctors’ offices and hospitals. Using HIPPA-compliant providers like healthcare fax companies to transmit protected data on their encrypted servers has been the best way for health care professionals to avoid audit issues.
However, the provisions of HITECH allow for audits of subcontractors as well, ensuring that they too are complying with the privacy and security policies of the act. Essentially, then, a business associate agreement serves as an agreement by the subcontractor that it will adhere to the rules and standards of HIPAA — and they understand the consequences of noncompliance.
Some argue that the notion of business associate agreements is outdated, given that HITECH holds all subcontractors who have access to HIPAA-protected data to the same privacy and security standards as the covered entity itself, even without the written agreement. The law still states, though, that covered entities must negotiate and maintain compliant BAAs with the companies that have access to their data — even those that may not directly have access to the data.
The simple fact that the OCR is conducting audits of business associate agreements and the companies covered by the agreements, highlights the importance of maintaining up-to-date and comprehensive agreements — meaning that the “boilerplate” agreement that you signed to meet the basic compliance standards may not be enough at this point.
Considerations for Review
Since it’s been a year since the new provisions went into effect, it’s very likely that your BAAs are reasonably up-to-date, and in compliance with the laws. That being said, if you used a template, or you only made minor changes to existing agreements, it’s best to review the agreements you have on file to ensure they comply with current law.
Many experts agree that BAAs should be reviewed at least once a year or more often if they expire, or if there are significant changes to the business relationship.
When reviewing your business associate agreements, there are a few key points to pay close attention to:
Today’s physicians face an increasing array of non-clinical demands on their time, from filling out paperwork to sorting through insurance denials. As a result, the amount of time doctors have to actually see patients has been reduced.
The combination of decreasing number of physicians, increasing demand for quality care, and rising costs of healthcare has created a challenging environment for both patients and healthcare professionals.
Nearly all of us have experienced long wait times at a physician’s office, often for minor ailments or routine follow-ups. These lengthy wait times are causing more and more patients to skip follow-up visits or turn to unreliable online medical services and websites for information. This not only erodes the doctor-patient relationship, but it puts patient health at risk. Furthermore, the information is not properly shared with the patient’s actual physician.
Today’s ultra-connected world has a solution that can bring the doctor-patient relationship into the 21st century: telemedicine.
Telemedicine is a suite of technology solutions that enables doctors to communicate with and treat patients via text, video and audio – and it can be used by physicians, nurses, office staff, any healthcare professional and, of course, patients. Telemedicine allows physicians to provide more convenient, real-time interactions with their own patients, for triaging acute issues and for quick follow up visits that can save the entire health system time and money.
And it’s far from the latest medical fad. Telemedicine is already one of the fastest growing segments in healthcare. According to the American Telemedicine Association, half of all U.S. hospitals now use some form of telemedicine. Similarly, Health Affairs has predicted an increase in domestic telehealth revenue by almost 20 percent per year, to $1.9 billion by 2018.
Connecting to patients, anywhere and anytime
Clearly, these solutions have ushered in a new age of medicine. Technology can also provide real-time data on patient vital signs, blood sugars and other information to improve the monitoring of chronic conditions, reducing readmission rates and keeping our patients healthier outside of the hospital.
Factors fueling the growth of telemedicine are as follows: a shortage of physicians in rural and remote areas, the high prevalence of chronic diseases, growing elderly populations, increasing numbers of smartphone users and the need for improved quality of care.
Telemedicine solutions fall into two broad categories: remote patient monitoring and online/digital communications. Remote patient monitoring links home healthcare equipment (heart monitors, dialysis equipment, etc.) to the internet and then securely reports patient data back to a healthcare provider.
Guest post by Ali Din, senior vice president, dinCloud.
With support having ended for Windows Server 2003, many organizations are left asking how to proceed with the soon-to-be obsolete server operating system. For organizations held to regulatory compliance standards, this question holds additional complexity. One of the industries undoubtedly scratching its proverbial head this week as support ends is healthcare.
Over the past few years, HIPAA, the Health Insurance Portability and Accountability Act of 1996, and HITECH, The Health Information Technology for Economic and Clinical Health Act, have largely determined the trajectory of IT and operations in healthcare. Perhaps most notably, HIPAA has helped govern patient security as healthcare institutions were incentivized to migrate health records to an electronic format through meaningful use. As EHRs, cloud and mobility solutions abounded, HIPAA guidelines dictated privacy and security standards for the industry. Today, many healthcare organizations are faced with a similar transition. Like all organizations, healthcare institutions have the option to migrate their servers to a supported operating system, which typically includes a corresponding hardware upgrade. Alternatively, they can migrate these workloads to the cloud. However, as reported by the Wall Street Journal, “analysts say that the technology [Windows Server 2003] is more prevalent in healthcare, utilities and government,” demonstrating that inaction seems to be more prevalent in the healthcare sector than one would think.
Those who have not yet migrated from Windows Server 2003 will be exposed to significant security risk and may compromise HIPAA compliance, as it is unlikely the operating system will remain a HIPAA supported platform.
The implications of not migrating extend beyond just the affected server. One unpatched vulnerability can compromise an organization’s entire infrastructure.
End of support means that Microsoft will no longer issue patches and security updates for Windows Serer 2003, and the resulting security risk is so severe, US-CERT, a branch of the Department of Homeland Security, issued a security alert warning of the “impact” of end of support. The alert states, “organizations that are governed by regulatory obligations may find they are no longer able to satisfy compliance requirements while running Windows Server 2003.”
Like the security risk, cost for extended support will also compound for healthcare organizations. Microsoft is charging $600 per server for the service, which will quickly add up.
With the risk and cost associated with not migrating, why are so many healthcare organizations approaching the deadline with no foreseeable migration plan? Like many goings-on in the industry, it’s complicated.
One factor is that some mission critical applications may not transition to a supported platform. That leaves IT administrators choosing between migration and applications that, in some cases, may be in daily use by their workforce.
And, finally, if it ain’t broke (yet), don’t fix it. Like many industries, healthcare organizations are often seeing heightened demand placed on smaller teams, which doesn’t leave ample time for proactivity. In these scenarios, migration planning may not have been prioritized with budget or resource allocation.
However, with end of support approaching in just a few days, regardless of the reason why these organizations didn’t migrate, they will soon be faced with the consequences.