By Bill Chartnetski, EVP health system solutions and government affairs, PointClickCare.
For too long, long-term and post-acute care (LTPAC) facilities have not benefited from the same health IT investments or incentives as other care sectors.
Since the U.S. government introduced the meaningful use program as part of the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009, LTPAC organizations – notably nursing homes – and the vulnerable patients they serve have been left behind. As a result, these provider types sit outside of current interoperability and health information exchange efforts, and have been slow to adopt electronic health records (EHRs) due to a lack of government incentive programs. In fact, recent data show that only 18% of skilled nursing facilities (SNFs) integrate patient health information electronically.
The lack of investment impairs the necessary exchange of health information, exacerbates care fragmentation and disables the ability to transmit a patient’s critical health and demographic data across the trajectory of care. Patients of LTPAC providers are more likely to have chronic health conditions or behavioral health needs.
The complex nature of their health history and requirements makes care coordination more difficult as they transition between settings. So, why are we depriving the providers that care for them of critical infrastructure investments, especially as other sectors have received similar investments and adoption incentives in recent years?
Long-term care facilities are suffering from long-existing shortcomings exacerbated by COVID-19. On a daily basis, they contend with staffing challenges, infection control, oversight and regulation. Yet they are resilient and unwavering in their commitment to care.
Technology presents enormous opportunities to alleviate these issues, namely staffing challenges and the burden of administrative tasks that often take them away from caring for patients. One study, for example, found that six months after implementation of an EHR, nurses were spending significantly more time engaging patients in their rooms with purposeful interactions and less time at a nurse station. Using health information technology to capture resident health information in real time can also substantially reduce staff fatigue, burnout and the burden of relying on short-term memory, while also improving patient safety by enhancing the accuracy of the patient information.
Anyone dealing with healthcare IT in the US will come across HIPAA and HITECH and HITRUST — and it’s easy to get them confused. They’re interrelated and they all concern health information and they all impact healthcare IT. But that certainly doesn’t mean they’re all the same.
Briefly, HIPAA is a law and compliance is mandatory. HITECH is another law that was subsequently folded into HIPAA. And HITRUST is a voluntary means to ensure compliance with laws such as HIPAA, including its HITECH provisions and any others that might come along. Here’s how it all breaks down:
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) covered a lot of healthcare modernization issues, including provisions addressing insurance and taxes. But when we reference HIPAA in the IT world, we’re generally concerned with details in the Act’s Title II.
HIPAA Title II stipulates national standards for digital healthcare information management and movement. Its intent was to establish comprehensive guidance on the way personal health information (PHI) is maintained, exchanged, and protected from unauthorized exposure and theft in healthcare industries. Since the Act was signed into law at the dawn of the dot.com days, it has naturally required amendment over the years.
The Health Information Technology for Economic and Clinical Health (HITECH) Act was part of the American Recovery and Reinvestment Act of 2009. HITECH allocated $28B to fund greater adoption of electronic health records (EHRs) through incentives, resulting in a massive digitization of health information. It also outlined additional sets of stipulations for digital standardization and added more privacy and security protections for healthcare data enforced by penalties for compliance failures.
HITECH was consolidated into HIPAA Title II in 2013 with the Final Omnibus Rule, which also expanded security and breach notification details and, notably, extended HIPAA-compliance requirements to business associate agreements. A business associate is any entity that “creates, receives, maintains, or transmits protected health information” for a HIPAA-covered entity. So pretty much anyone handling PHI has to comply with HIPAA — not just hospitals and insurance companies.
There are several regulatory compliance requirements that healthcare organizations must follow. Even so, it’s the Health Insurance Portability and Accountability Act (HIPAA) that gets the most recognition. If your organization is involved in the healthcare industry, you should ensure that it complies with the Health Information Technology for Economic and Clinical Health Act (HITECH) as well.
These two compliance requirements are somehow interrelated. However, HITECH is meant to enhance information technology in the healthcare industry while protecting the security and privacy concerns regarding ePHI. HITECH significantly modified HIPAA and the Social Security Act. Therefore, it can be difficult to understand how these regulatory compliance frameworks complement each other.
How HITECH And HIPAA Are Similar
HITECH and HIPAA compliance is overseen by the Health and Human Services Department (HHS). Typically, healthcare organizations tend to focus on HIPAA compliance since it is the backbone of the Privacy Rule that sets national standards regarding PHI and medical record protection. The Privacy Rule was adopted in 2000. Since then, HHS has only made one modification. That was in 2002 when the Privacy Rule was modified to become one of the initial information privacy and security regulations.
The Office of the National Coordinator for Health Information Technology (ONC) is mandated to promote the quality of healthcare by advancing health IT. ONC is also tasked with the role of securing ePHI and establishing procedures for electronic health records (EHRs) to promote privacy.
Therefore, while HITECH and HIPAA complement each other, they are dissimilar. HITECH focuses on information technology as well as the preservation of electronic information, whereas HIPAA dwells on protecting privacy as well as expanding beyond information systems.
How HITECH And HIPAA Differ
Although HITECH and HIPAA have many similarities, the two regulations also differ on various vital details. HITECH was meant to expand HIPAA. Even so, the latter remains focused on addressing privacy and breach notification issues to protect against identity theft and fraud. On the other hand, HITECH differs from HIPAA because it established restructured criminal and civil compliance penalties. Furthermore, HITECH extended HIPAA’s breach notification requirement beyond covered organizations also to include business associates.
From an IT perspective, compliance managers ought to focus on the significance of robust encryption. In case malicious actors breach the ePHI, effective encryption will mitigate rule violations. Therefore, if the encryption makes the information unreadable, the organization won’t be fined. Nonetheless, proving effective encryption means complying with the NIST Federal Information Process Standard. Therefore, healthcare regulatory compliance can only be realized if you fully understand your organization’s IT infrastructure.
The healthcare industry is ripe for disruption and transformation. According to McKinsey & Company, U.S. pharma is “in a state of flux.” Seismic shifts are happening, from significant merger and acquisition (M&A) activity to pharmacy store closures to changes in strategic partnerships between major health insurers and pharmacy benefit managers (PBMs), and the seemingly inevitable entry of Amazon into the market. Moreover, the healthcare ecosystem continues to face challenges as it attempts to comply with regulations like HIPAA and HITECH.
During this period of change, McKinsey’s research establishes three imperatives for healthcare businesses to consider. The first is to pursue business models that deliver a lower total cost of care for consumers and employers. The second involves leveraging data aggregation and big data analytics to generate insights and create value, and the third is to put the consumer at the center of everything by creating innovative ways to bring more consumer-driven insights and actions into the business.
The growth in digital health indicates that many businesses are acting on these imperatives and are finding commercial success. The digital health sector currently is estimated at $86.4 billion and is predicted to grow by almost 30 percent year-over-year through 2025. But with such a vast and complex industry like healthcare, it is challenging to appreciate the realities of digital disruption without drilling down into specific sub-sectors and profiling some of the disruptors that are in the process of altering their landscapes.
Following are some examples of how the “value pool” is shifting in this industry, resulting in cost savings for patients through the elimination of waste.
Pharmacy benefit management value pool shifts by removing inefficiencies
Pharmacy benefit management (PBM) includes third-party administrators for prescription drug programs at insurance companies, businesses, self-insured employers and government health plans. PBMs have a vast market valuation of $368 billion, as of 2018, within the U.S. healthcare system and an expected annual growth forecast of more than 9 percent.
Despite the size of the market, however, many PBMs do not have the technical sophistication to flourish in the digital world, which has given rise to companies such as RxSense. Previously a PBM, RxSense pivoted to meet the real-time needs of customers by providing a business-to-business (B2B) digital platform for the whole PBM industry. Its goal is to bypass problems with legacy PBM systems, including a lack of innovation, inefficiencies, inflexibility and challenges around accuracy and transparency.
The next step beyond digitization for players such as RxSense will be the application of artificial intelligence (AI) and machine learning technologies to further increase administrative efficiency, drive down costs and, ultimately, improve clinical outcomes.
The Health Insurance Portability and Accountability Act, known as HIPAA, was enacted in the United States in 1996. The legislation creates data security and privacy requirements for safeguarding medical information. In recent years, HIPAA compliance has become a hot button issue for software developers in the healthcare space, as a number of high profile data breaches compromised millions of patient records across the country.
If you’re developing an eHealth or mobile health app, it is vital that you determine whether your software could be subject to the requirements of HIPAA for medical software applications. Failure to do so could subject you to thousands or even millions of dollars of liability if the use of your application results in an unauthorized disclosure of health information that is protected under HIPAA. Here’s how to tell whether HIPAA applies to you, and how to know if your software is HIPAA compliant.
Does HIPAA apply to me?
Before you start worrying about compliance with the security and privacy requirements of HIPAA, you should determine whether they can be applied to you and your organization. Both the HIPAA privacy rule and the HIPAA security rule apply to all covered entities under HIPAA, such as health plans, healthcare clearinghouses and healthcare providers. The website for Centers Medicade & Medicaid Service offers a Covered Entity Guidance Tool that can help you determine whether your organization is a covered entity.
HIPAA was expanded in 2009 with the introduction of the HITECH Act and again in 2013 with the HIPAA omnibus rule which clarified the responsibilities of business associates of covered entities when it comes to managing privacy and security of patient records. Further guidance was issued in 2016 indicating that cloud service providers would also be covered by the HIPAA privacy, security and breach notification rules.
Software developers in the healthcare space need to tread carefully here – the original regulations of HIPAA that deal with covered entities probably won’t apply to most organizations creating eHealth or mobile health products, but if your app will manage protected health information and share it with any covered entities, such as health plans or doctors, then HIPAA applies to you and you must comply.
If your software collects protected health information from patients but does not share it with a doctor or another covered entity at any point, the HIPAA rules won’t apply to you and you don’t need to worry about compliance.
Required safeguards for software HIPAA compliance
The available data indicates that while theft of computing hardware was the primary cause of healthcare data breaches in 2017, the greatest vulnerability that was exploited was health IT networks. For software developers, the HIPAA security rule is the most likely potential source of compliance issues. The rule mandates three types of safeguards that protect patient data – administrative, physical, and technical. In creating these safeguards, software developers must establish a secure application where authorized personnel have access to the required patient information while unauthorized persons do not. Patient information must also be protected from alteration or destruction.
Administrative safeguards ensure that software administrators who make have access to the data are acting responsibly. If your software stores medical data, anyone with access to that data must be authorized and trained on the ethical and legal requirements of that access. Administrative safeguards include:
Security management process
Information access management
Workforce training and management
Physical safeguards help to mitigate data breaches by ensuring that only authorized users can access the facilities and machines where protected health information is stored. Physical safeguards include managed policies for:
Facility access and control
Workstation and device security
Technical safeguards present the greatest challenge for software developers building HIPAA-compliant products, as software bugs represent the best opportunity for data attacks against your organization. HIPAA does not detail exactly what firewalls, anti-malware devices or encryption tools should be used to secure your software against a data breach, but it does indicate the need for several types of controls:
Vice President Joe Biden recently took the stage at Health Datapalooza in Washington, D.C. to discuss where healthcare technology currently stands, and he didn’t hold back. Among other things, he chastised the industry for poor health IT system interoperability and the resulting difficulties it causes providers and patients. “We have to ask ourselves, why are we not progressing more rapidly?” Biden lamented.
Biden’s criticism is only the latest high-profile commentary about the unfulfilled promise of information technology in healthcare. AMA leaders and individual physicians have been grousing about it for years. We’ve seen technology increase efficiency, reduce costs and improve productivity in every other industry – but why not healthcare?
Ironically, seven years after the passage of the HITECH Act of 2009, doctors are less productive than they were before, and IT is the culprit. Rather than enabling a better, more streamlined workflow, IT has become a burden.
The drag that IT is placing on healthcare providers is a principal reason why U.S. Health and Human Services (HHS) Secretary Sylvia Burwell announced with great fanfare at the HIMSS16 conference an “interoperability pledge,” which vendors and providers alike are encouraged to take. Its purpose in part is “to help consumers easily and securely access their electronic health information, direct it to any desired location, learn how their information can be shared and used, and be assured that this information will be effectively and safely used to benefit their health and that of their community.”
This call resonates because the promise of better healthcare through technology has been broken. Technology has changed the way we communicate, the way we shop, the way we watch TV, the way we drive, and the way we interact with our homes. As an industry, healthcare is lagging way behind. The consequences are drastic. In order for us to deliver the kind of holistic care that will truly improve people’s health, it’s time not only to talk about the potential, but to make it a reality for users and providers across the healthcare continuum.
Here’s the reality: we have today what 10 years ago was called a supercomputer in front of physicians – a device that knows virtually everything about the patient – but it isn’t helping out in ways that we take for granted in our everyday lives when we shop online, use Google Maps or order an Uber.
It isn’t that doctors aren’t skilled, intelligent or capable enough—it is that the demands being placed on them are too great.
Time and documentation demands mean that something has to give. As many physicians have pointed out over the years of the HITECH Act’s implementation, the thing that normally “gives” is facetime with patients: actual, hands-on delivery of care and attention. Instead, they are driven to input data for documentation, follow prompts on EHR interfaces, ensure their record-keeping practices will facilitate correct coding for billing, as well as tip-toeing around HIPAA and the explosion of security and privacy vulnerabilities opened up by the shift to digital.
The reality of modern medicine—and especially the rate at which it evolves, grows, and becomes outdated—means that doctors need what most every other industry has already integrated: more brains. Not simply in the form of EHRs for record-sharing, or voice-to-text applications as a substitute for transcriptionists, but as memory-supplements, or second brains.
As a species, humans are also evolving away from memory as a critical element of intelligence, because we now have devices—“smart” devices—always on, always on us, and always connected to the ultimate resources of facts and data.
Our smart devices—phones, tablets, etc.—are gateways to the whole of human knowledge: indexes of information, directories of images, libraries question and answer exchanges. In effect, we are increasingly able and willing to offload “thinking” onto these devices.
Supplement or Supplant?
Depending on the context and application, this trend is both helpful and potentially harmful. For those prone to critical thinking and equipped with analytical skills, offloading some elements of memory to these devices is a question of efficiency. Even better, the more they practice using it, the more effective they become at integrating devices into their cognitive tasks. In others (those less prone to think critically), it is a shortcut that reduces cognitive function altogether: rather than a cognitive extension, the devices act as substitutes for thinking. Similarly, increasing over-reliance on the internet and search engines further diminishes already deficient analytical skills.
The standard roadmap for a medical education entails a lot of memorization—of anatomy, of diseases, of incredible volumes of data to facilitate better clinical performance. It isn’t memorization simply for the sake of recitation, though; it is the foundation for critical thinking in a clinical context. As such, medical professionals ought to be leading candidates for integrating smart devices not as crutches, but as amplifiers of cognition.
So far, that has been far from the dominant trend.
Enter the Machine
Integrating computers as tools is one thing, and even that has proven an uphill battle for physicians: the time and learning curve involved in integrating EHRs alone has proven to be a recurring complaint across the stages of Meaningful Use and implementation.
Patient engagement—another of the myriad buzzwords proliferating the healthcare industry lately—is another challenge. Some patients are bigger critics of the new, digitally-driven workflows than the most Luddite physicians. On the other hand, some patients are at the bleeding edge of digital integration, and find both care providers and the technology itself moving too slowly.
Last fall, the provisions governing Business Associate Agreements under the HITECH law went into effect. Many covered entities used templates and models offered by professional societies and the Department of Health and Human Services, but it’s becoming increasingly clear that the “model” agreements were simply a stopgap measure, and that organizations that use BAAs need to conduct ongoing reviews of the documents and customize the language to meet the individual needs of their company.
The need for ongoing reviews to business associate agreements stems from an increased focus on compliance, and audits from the Office of Civil Rights (OCR) in DHHS. In the past, HIPAA compliance audits were limited to specifically covered entities, such as doctors’ offices and hospitals. Using HIPPA-compliant providers like healthcare fax companies to transmit protected data on their encrypted servers has been the best way for health care professionals to avoid audit issues.
However, the provisions of HITECH allow for audits of subcontractors as well, ensuring that they too are complying with the privacy and security policies of the act. Essentially, then, a business associate agreement serves as an agreement by the subcontractor that it will adhere to the rules and standards of HIPAA — and they understand the consequences of noncompliance.
Some argue that the notion of business associate agreements is outdated, given that HITECH holds all subcontractors who have access to HIPAA-protected data to the same privacy and security standards as the covered entity itself, even without the written agreement. The law still states, though, that covered entities must negotiate and maintain compliant BAAs with the companies that have access to their data — even those that may not directly have access to the data.
The simple fact that the OCR is conducting audits of business associate agreements and the companies covered by the agreements, highlights the importance of maintaining up-to-date and comprehensive agreements — meaning that the “boilerplate” agreement that you signed to meet the basic compliance standards may not be enough at this point.
Considerations for Review
Since it’s been a year since the new provisions went into effect, it’s very likely that your BAAs are reasonably up-to-date, and in compliance with the laws. That being said, if you used a template, or you only made minor changes to existing agreements, it’s best to review the agreements you have on file to ensure they comply with current law.
Many experts agree that BAAs should be reviewed at least once a year or more often if they expire, or if there are significant changes to the business relationship.
When reviewing your business associate agreements, there are a few key points to pay close attention to: