NueMD, provider of cloud-based medical practice management software for small practices, in partnership with Porter Research and the Daniel Brown Law Group, surveyed practices and business associates about HIPAA compliance and how small practices and billing companies are coping. The survey of about 1,200 healthcare professionals, conducted during October 2014, found medical practices and billing companies are struggling to comply with regulations under the Health Insurance Portability and Accountability Act.
“Understanding HIPAA can be difficult for practices and billing companies, especially if they’re already scrambling to keep up with changes like ICD-10 and meaningful use,” said Caleb Clarke, sales and marketing director at NueMD, in a statement. “With audits looming, we wanted to get a sense of where the industry stands and provide resources to help those who may be struggling.”
NueMD surveyed practices and billing companies in all 50 states; most of the practices were small and made up of one to three providers.
In a nutshell, the survey found that:
66 percent of respondents were unaware of HIPAA audits (a staggering number)
35 percent of respondents said their business has conducted a HIPAA-required risk analysis
34 percent of owners, managers and practice administrators reported that they were “very confident” that their electronic devices that contain PHI were HIPAA compliant
24 percent of managers, owners and practice administrators at medical practices reported that they’ve evaluated all of their business associate agreements
56 percent of office staff and (non-owner) care providers at practices said they’ve received HIPAA training in the last year
HIPAA is one of the primary and most comprehensive government regulations that affect the daily activities of each healthcare organization every day.
Signed into law in 1996, the law outlines policies to protect sensitive patient data and penalties for those who don’t comply. Recent updates under the HITECH act introduced several changes that affect the responsibilities and liabilities of covered entities and business associates.
Enforcement of breaches is occurring at a more rapid pace. HITECH extended certain HIPAA security and privacy requirements and set the stage for greater enforcement, including:
Widening the scope of the law, requiring health information exchanges to be business associates of healthcare entities, and applied HIPAA privacy and security requirements directly to the HIEs.
Greater penalties for noncompliance.
Redirecting civil monetary penalties back into enforcement activities instead of into the general fund. This provides additional funds for future enforcement and incentivizes proactive enforcement activities.
Adding breach notification requirements to entities that operate personal health records or otherwise maintain personal health information for purposes other than healthcare delivery or payment.
Opening the way for enforcement by states’ attorneys general.
Also, the HITECH Act incentivizes a more aggressive pursuit of HIPAA, which means it’s more likely that healthcare organizations will now be audited more regularly.
Since the Health Information Technology for Economic and Clinical Health (HITECH) Act was signed into law in February 2009, rural, community and critical access hospitals are turning to electronic health record (EHR) systems to receive significant incentive payments based on meeting meaningful use regulations. However, the impact on workflow makes achieving a return on investment (ROI) after implementation challenging. Additionally, the burden is placed on these hospital’s small IT departments to meet federally mandated deadlines such as meaningful use.
According to a 2014 HIMSS Analytics survey, 83 percent of healthcare providers are using cloud services. Compared to server-based networks, the cloud is especially beneficial to rural hospitals because of the lower upfront, implementation and maintenance costs, resulting in increased ROI. The cloud system’s pay-as-you-use method removes the need for expensive hardware, and the accessibility and security of patient records improves efficiency and patient care, allowing hospitals to prove they are meaningfully using EHR technology.
Implementation and Maintenance
Because of budgetary restraints, rural hospitals typically have outdated technology and some areas do not even have computers. Recently, I visited a hospital with only one computer on each floor and no EHR system in place at all. Because of this, these hospitals must implement user-friendly healthcare technology that is easily implemented across the network– even for clinicians with limited or no experience in a high-tech environment. This type of easy-to-use EHR systems not only improves patient care, but also helps hospitals qualify for federal incentive payments. However, time is running out. Hospitals only have one more year to receive incentives for being MU compliant. After this timeframe they not only won’t receive payments, but they will be penalized financially for not meeting regulations, which is especially detrimental to smaller hospitals.
Cloud-based solutions allow hospitals to deploy EHR systems quickly and at a lower cost. While server-based EHR systems can cost $40, 000 or more, a cloud network does not require any hardware to be installed on-site. Therefore, upfront, implementation and maintenance costs are much lower than a server-based solution. Less hardware means less opportunity for failure – thus, maintenance costs decrease drastically as the lifespan of a cloud-based system is much longer than a physical server solution.
Guest post By Barry P. Chaiken, MD, FHIMSS, chief medical information officer at Infor.
In many ways healthcare is like a symphony orchestra. Although information technology can enhance care planning, assist in medication administration and reduce duplicative testing, it cannot replace the people required to deliver care services to patients. Nurses are needed to administer medications, therapists are needed to provide treatments, and physicians are needed to diagnose illnesses and provide treatment plans. On average, hospitals devote close to 70 percent of their budget to labor costs. Until robots replace humans in the delivery of patient care, selection of the proper skill mix and number of professionals remains a significant factor that determines cost in provider organizations.
Although information technology cannot replace the staff delivering care to patients, it can assist organizations in choosing the best talent available, help develop that talent and determine the best way to utilize the skills of these professionals.
To identify the best talent, information technology tools allow the extraction of an employee’s “behavioral DNA” – the measurement of behavioral, cognitive and cultural traits. Organizations then compare this prospective employee’s “DNA” to the “DNA” of existing high performing employees within the organization in an effort to identify individuals who possess a high probability of excelling within the organization.
Guest post by Randy Hickel,manager of worldwide healthcare business development, Printing and Personal Systems Group of HP.
Mobility and BYOD trends in healthcare are a hot topic. With more healthcare businesses transitioning work processes to mobile platforms for increased collaboration and productivity, data security can be a major concern.
It’s clear that advanced mobile technologies allow healthcare employees – who are constantly on the move – to connect from anywhere, anytime; however, mobility can pose several challenges. By engaging with a health IT mobility expert, healthcare organizations can plan and build the appropriate infrastructure to manage various mobile devices, secure data and promote fluidity between paper and digital documents.
Prepare your IT infrastructure for BYOD
Personal devices in the workplace are quickly becoming the norm, rather than a trend, even in the healthcare industry. Administrative and medical staffs more frequently use personal devices, such as smartphones or tablets, to connect to work networks or enterprise systems. According to the Pew Research Center, in January 2014, 58 percent of American adults had smartphones and 42 percent had tablets. And for the first time ever, Americans used smartphone and tablet apps more than PCs to access the Internet.
Mobility focused IT experts can help healthcare organizations develop a mobile printing strategy that manages the growing number and diversity of mobile devices in the workplace, ensuring that staff can print securely using their mobile devices.
The cost of IT security data breaches in the highly regulated healthcare industry is staggering, as it tops even the likes of financial services market. No one is immune. Nearly 94 percent of medical institutions report that their organizations have been victims of a cyber attack, according to findings by the Ponemon Institute. With the update last year to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and HITECH Act of 2009, signs of increasing expenses are again a reality. The annual cap on fines for security breaches has also skyrocketed from a maximum of $25,000 per year to $1.5 million.
With breaches in healthcare spanning from insider, nosey-neighbor snooping, to external, cyber-threats, such as malware, there is an obvious urgency for detection and remediation solutions that engage not only the hardened perimeter, but also the soft center, spanning all the way out to the ancillary systems which at once stood alone, but are now networked and part of the entire electronic healthcare ecosystem.
Establishing a single, integrated, active defense approach to bolster your security posture and mitigate insider breach, as well as cybercrime in healthcare, begins with a motion to break down internal barriers. Organizations need technology and organization leaders who champion a bridging the gap between the two influential and liable, yet often un-collaborating services providers responsible for protecting these domains: Privacy and compliance and enterprise IT security.
Coordinating the effort to monitor networks and applications to achieve a greater understanding of risky behavior is a giant step toward detecting early indicators of compromise and strengthening the weak links in your security practice. We recommend an assessment of the often overlooked, non-standard variety of electronic data carriers, which can fall into the category of the “Internet of Things,” those medical device end-points, video surveillance systems, x-ray machines and call contact systems. These must be treated as part of the entire electronic ecosystem to achieve a greater degree of data protection. They carry patient health information (PHI) and even intellectual business property, and are largely unprotected by traditional intrusion detection solutions. While often perceived as immune to breaches, they represent readily available ports of entry for an attacker.
A unified approach to end-user education and monitoring for early breach detection that fosters risk mitigation requires tight coordination between privacy and IT security. The challenge is in how. Functional groups are often siloed and share very little information with each other. This becomes a major issue in the event of a breach, as neither side is able to understand the full spectrum of the threat without the others’ data. Let’s take a look at a couple of examples.
For physicians’ practices in the 21st century, connectivity is the buzzword. Getting doctors connected to data, patients connected to healthcare providers, and practices connected to networks are just a few of the web-fueled scenarios coming down the pike.
The Health Information Technology for Economic and Clinical Health (HITECH) Act is a game changer and affects just about every aspect of modern medical care. HITECH, part of the American Recovery and Reinvestment Act of 2009, promotes the adoption and meaningful use of health information technology.
As is often the case with a shift this monumental, there are both benefits and challenges of connected healthcare that practice groups will have to address. First, let’s take a look at some of the benefits.
1. Join the Digital Revolution. Just as other industries that went digital years ago, healthcare benefits from the streamlining offered by a networked environment. Clinical interoperability of healthcare IT lowers costs and enhances efficiency by facilitating the comprehensive exchange of health information between care providers, hospitals and patients. The trend is toward innovation in healthcare as the industry as a whole responds to consumer demands and government reforms.
2. Safety in Numbers. As of 2013, more than 323,000 American medical practices and hospitals adopted EHRs and attested as meaningful users, indicating a 266 percent increase over 2012, according to CMS statistics. However, even with this upsurge in participation, those numbers represent only a small percentage of US hospitals that currently keep electronic records and contribute to the health information exchange. So, while the risk of being an early adopter is largely gone, your practice group could still be near the front of the adoption wave.
3. It’s easier. As you can see from the statistics in the previous point, healthcare IT adoption is in an early phase, and for most practices, there is a lack of centralization. To help elucidate the complexity of the system, look no further than the state of Florida, where there are at least 672 EHR vendors. Connecting health information digitally creates a central database that greatly simplifies the process of storing and retrieving all patient data. It’s like finding the needle in the haystack every time.
Patient-centered healthcare technology is putting the power of good health into patients’ hands. All of the changes in American healthcare regulations point to one top priority, and that’s patient centered care. Why does this matter? Because patients who are empowered to manage their own health are more likely to be proactive and, theoretically, therefore healthier.
Knowledge in the world of healthcare can be a great thing, and the technology community is responding with thousands of apps and other healthcare IT initiatives, such as activity tracking devices and websites designed to help consumers keep close track of their wellness.
Researchers at the Mayo Clinic provided FitBits to 149 post-surgical heart patients. The researchers determined that using the FitBit to monitor mobility wirelessly was “easy and practical, and led to a significant relationship between the number of steps taken in the early recovery period, length of stay and dismissal disposition. The research indicates that an activity monitor such as a FitBit could positively affect post-discharge outcomes by empowering patients to take their recovery into their own hands. Better discharge outcomes leads to lower costs in the long run. This is just one example of many.
In a letter to HHS Secretary Kathleen Sebelius, the College of Healthcare Information Management Executives (CHIME) and 47 other of the nation’s largest healthcare provider organizations issued a joint call for additional time and flexibility in the meaningful use program to ensure its continued success.
While underscoring the meaningful use program’s invaluable role in advancing technology adoption among hospitals and physicians, the letter states that strict adherence to current program requirements endangers overall success of the EHR program, disrupts providers’ healthcare operations and potentially jeopardizes patient safety.
“Given that we have just celebrated the anniversary of HITECH, we can look back at the last five years with great pride and take stock of how far we’ve come – as an industry and as a nation,” said CHIME President and CEO Russell P. Branzell FCHIME, CHCIO. “But we must look ahead and recognize the immense work in front of us. Now is the time to make much-needed course corrections to ensure that we continue this success well past HITECH’s 10th anniversary.”
The letter reiterates many points made by several organizations dating back to May 2013, including letters from CHIME; the American Hospital Association (AHA); the American Medical Association (AMA); the Medical Group Management Association (MGMA); the American College of Physicians (ACP); the American Academy of Family Physicians (AAFP); and the National Rural Health Association (NRHA).
The latest letter, the first to be issued jointly by more than 40 organizations, comes in response to concerns that the nation’s 5,000 hospitals and 550,000 eligible professionals must adopt the latest certified versions of EHR technology and meet more difficult program requirements to remain in compliance with the Medicare and Medicaid Electronic Health Record Incentive Program. Hospitals only have until July to adopt, implement, test and train staff to meet either Stage 1 or Stage 2 Meaningful Use requirements in 2014. Eligible professionals have until October to begin collecting data to attest to meeting program requirements.
In 2013, healthcare industry stakeholders, including associations, EHR vendors, practitioners and providers, raised significant concerns relating to the implementation timing of meaningful use Stage 2 and 3 criteria, including problems with interoperability, usability and regulatory failure to assess “value added” by implementation of meaningful use criteria to date. On December 6, 2013, federal officials announced that Centers for Medicare and Medicaid Services (“CMS”) were proposing a new timeline for the implementation of meaningful use stage criteria for the Medicare and Medicaid Electronic Health Record (“EHR”) incentive programs. The Office of the National Coordinator for Health Information Technology (“ONC”) further proposed a more regular approach for the update of ONC’s certification regulations.
Under the revised timeline, Stage 2 will be extended through 2016 and Stage 3 will begin in 2017 for those providers had completed at least two years in Stage 2. The goal of the proposed changes is twofold; to allow CMS and ONC to focus efforts on the successful implementation of the enhanced patient engagement, interoperability and health information exchange requirements in Stage 2, as well as evaluate data from Stage 1 and Stage 2 compliance, to date, to create and form policy decisions for Stage 3.
CMS expects to release proposed rulemaking for Stage 3 in the fall of 2014, which may further define this proposed new timeline. Stage 3 final rules would follow in the first half of 2015.
Despite CMS’s positive response to stakeholders concerns relating to the timeline for implementation of Stage 2 and Stage 3 meaningful use criteria, significant reservations continue to be enunciated, on a monthly basis, by providers at both Health information technology (“HIT”) policy committee and work group meetings. Providers continue to urge rule makers to institute consensus standards that could be adopted broadly across the healthcare industry to ensure both usability and interoperability.
In early 2013, former national coordinate Farzad Mostashar chastised electronic health record vendors for improper behavior in the marketing and sales of systems that continued to frustrate interoperability goals. This frustration with EHR vendors continues to be enunciated in HIT policy committee and work group meetings as recently as January of 2014.
Guest post by James Hofert, Roy Bossen, Linnea Schramm and Michael Dowell, all partners with Hinshaw & Culbertson.
New federal healthcare legislation and implementing regulations, seek to exert control over multiple aspects of patient care. The Health Information Technology for Economic and Clinical Health Act (“HITECH”)[i] with staged implementation through 2016, seeks to not only promote implementation of electronic health record systems (“EHR”), but also regulate electronic communications of health information by and between the patient, physician, hospitals and other healthcare institutions so as to enhance care quality, care coordination and reduce costs.
HITECH further envisions implementation of clinical decision support algorithms for the diagnosis and treatment of disease both during admission and after discharge. The Hospital Readmission Reduction Program[ii], effective October 1, 2012, consistent with the objectives of HITECH seeks to financially penalize hospitals for higher than standardized readmission rates for heart failure, acute MI and pneumonia. The Center of Medicine and Medicaid Service (“CMS”) intends to expand application of the program to readmission for COPD, elective total hip arthroplasty and elective total knee arthroplasty in 2015[iii]. Consistent with preventative care goals so as to mitigate further health care problems as found in HITECH, CMS has refused to adjust the re-admission penalty program to account for readmissions unrelated to the patient’s initial hospitalization even though the readmission could be considered to be outside the hospital’s or physician’s control[iv].