Some Organizations Unaware of Health Data Privacy, Security Rules

Many health data privacy and security problems could be avoided if health  care providers and insurers knew the regulations that applied to them, according to an analysis by HHS contractor KPMG, Modern Healthcare reports.

KPMG conducted the analysis of audits that it performed on behalf of HHS’  Office of Civil Rights (Carlson, Modern Healthcare, 4/23).

Background

As part of a 2012 pilot program, OCR called for 115 random HIPAA privacy and  security compliance audits of health care providers, payers and claims  clearinghouses.

The pilot program aimed to help OCR prepare to establish a permanent audit  program during fiscal year 2014 (iHealthBeat,  3/19).

Details of Analysis

According to the analysis, about one-third of the 980 problems identified  during the 115 HIPAA audits happened because health care organizations were  unaware of certain regulations that applied to them.

Out of the organizations that had documented problems:

• 60% of the identified issues were related to data security;
• 30% were related to data privacy; and
• 10% were related to data breach notification.

The analysis also found that 47 of the 61 audited health care providers  had not completed a full and accurate risk assessment to identify potential data  problems.

Comments on Findings

OCR Senior Adviser Linda Sanches said it appeared that some organizations  wrote their data privacy and security policies only after being targeted for an  audit.

She noted that the health care entities with documented problems will not  face penalties because the audits were conducted by contractor KPMG. However,  Sanches added that OCR officials might review findings from the audits during  future investigations.

According to Sanches, the analysis’ findings suggest that many health care  providers could benefit from reviewing HITECH Act regulations that broaden HIPAA  data privacy and security safeguards (Modern Healthcare, 4/23).

Source: iHealthBeat

One in 20 Meaningful Use Attesters To Face Audits, Official Says

About one in 20 participants in the meaningful use program can expect to face  an audit for compliance with the program’s requirements, according to a CMS  official, Modern Healthcare reports.

Background

Under the 2009 federal economic stimulus package, eligible hospitals and  health care professionals who demonstrate meaningful use of certified electronic  health record systems can qualify for Medicare and Medicaid incentive  payments.

Since October 2012, CMS has conducted audits of meaningful use program  participants who have received incentive payments.

In January, CMS started conducting prepayment audits of health care providers  who attested to the meaningful use of EHR systems.

CMS Official’s Comments

During a telephone update on CMS’ meaningful use audits, Robert Anthony —  deputy director of CMS’ Health IT Initiatives Group — said that CMS aims to  audit about 5% of all meaningful use program participants by conducting  approximately the same amount of prepayment and post-payment audits.

He added that Figliozzi & Company, CMS’ audit contractor, will conduct  the majority of reviews through “desk audits” but that a few on-site audits  could occur.

Anthony said CMS so far has sent few letters notifying health care  providers about adverse audit findings. However, he noted that the agency still  is in the early stages of its auditing efforts. He added that a few health care  providers with adverse audit notices are starting the appeals process and that  some providers are facing investigation for possible fraud.

According to Anthony, the most common problems identified in the audits so  far are:

• Noncompliance with the requirement that health care providers conduct a data  security risk assessment, which also is a requirement under HIPAA; and
• A lack of adequate documentation to support responses to some of the “yes or  no” meaningful use requirements, such as whether an EHR system has been tested  for the ability to exchange clinical data (Conn, Modern Healthcare,  4/22).

Source: iHealthBeat

Physicians Offer Mixed Views About Emailing With Their Patients

Some physicians find that emailing with patients saves time and money, but  others have concerns about the practice, the Wall Street Journal reports.

Benefits of Emailing With Patients

Physicians who email with their patients say the practice:

• Is a convenient way to communicate about patient care;
• Avoids the challenges of reaching patients by phone; and
• Helps prevent patients from inaccurately diagnosing their health  conditions using the Internet.

Andrew Martorella — an endocrinologist in New York — said that if he did  not email with patients, he likely would need at least one extra staff member to  field patients’ phone calls. He added that emailing with patients has  “definitely made a big change in terms of reducing costs, especially for solo  practitioners.”

Concerns About Emailing With Patients

Physicians who do not communicate with patients via email cite concerns about  the practice, including:

• Inconvenience;
• Potential legal liability;
• Lack of reimbursement for emailing with patients;
• Risk of miscommunicating about important health information; and
• Privacy and security issues.

Andrew Adesman — chief of developmental pediatrics at Steven & Alexandra  Cohen Children’s Medical Center of New York — said he prefers office visits and  phone calls to emailing with patients. “Often times brevity has the potential to  compromise clarity,” he said.

Comments About Secure Communication

Jane Thorpe — an associate professor of health policy at George Washington  University — said that doctors should use a secure system — such as an  encrypted message or protected portal — to communicate with patients instead of  using personal email.

Peter Dehnel — a Minneapolis-based pediatrician who is chair of the American  Academy of Pediatrics — said that AAP and other industry groups are working to  develop guidelines for physicians’ electronic communications (Reddy, Wall  Street Journal, 3/25).

Source: iHealthBeat

Some Meaningful Use Attesters Undergoing Prepayment Audits

CMS has launched prepayment audits for certain health care providers who have  attested to the meaningful use of electronic health record systems, FierceEMR reports (Durben Hirsch, FierceEMR,  3/24).

Background

Under the 2009 federal economic stimulus package, health care providers who  demonstrate meaningful use of certified EHR systems can qualify for  Medicare and Medicaid incentive payments.

In November 2012, HHS’ Office of Inspector General released a report that criticized CMS for poor auditing of  the incentive program.

OIG’s report recommended that CMS strengthen its prepayment assessment  program by randomly selecting “high-risk” providers and asking them to “submit  supporting documentation for prepayment review” (iHealthBeat,  11/29/12).

Details of Audits

Elizabeth Holland — director of the Health IT Initiatives Group in CMS’  Office of E-Health Standards and Services — said that CMS is  conducting prepayment audits of 5% to 10% of providers who attested to  meaningful use in January (FierceEMR, 3/24).

She said that prepayment audit selections were “made both randomly and also  based on protocols that identify suspicious or anomalous attestation data.”

Holland said that an additional 5% to 10% of meaningful use attesters will  undergo post-payment audits.

New York-based accounting firm Figliozzi & Company — which was chosen by  CMS to conduct the audits — is sending letters notifying health care providers  who have been selected for audits.

According to Holland, providers who receive a letter should respond to it  immediately because meaningful use incentives will be withheld until providers  pass the audit review (Porter, AAFP News Now, 3/19).

Source: iHealthBeat

Several New Rules To Expand, Update HIPAA Provisions Take Effect

Although Tuesday is the effective date for multiple new rules that expand and  update HIPAA provisions, compliance for the majority of the new rules’  provisions will not be required for another six months, Modern Healthcare reports (Conn, Modern  Healthcare, 3/25).

Background

The final omnibus rule — which includes four final rules  that implement tougher privacy and security provisions — was called for under  the 2009 federal economic stimulus package’s HITECH Act and the Genetic  Information Nondiscrimination Act. The rules:

• Clarify when breaches must be reported to HHS’ Office for Civil Rights;
• Establish new standards for the use of patient-identifiable information for  fundraising and marketing;
• Expand liability to “business associates” of hospitals and other  “HIPAA-covered entities,” such as data miners and health IT service providers;  and
• Raise the maximum penalty for noncompliance to $1.5 million per violation  (iHealthBeat,1/18).

Compliance for New Provisions

Angela Dinh Rose — director of health information management practice  excellence at the American Health Information Management Association — said the  compliance date for most of the rules’ provisions is Sept. 23.

Entities that already had a HIPAA-compliant agreement with a business  associate prior to the rules’ official publication date of Jan. 25 will be  granted a one-year grace period, as long as the contract does not require  renewal between March 26 and Sept. 24.

Out-of-Pocket Provision Could Be a Challenge

According to Modern Healthcare, one of the biggest  challenges under the rules is a provision allowing patients to request that  insurers not be informed of treatments that are paid for out-of-pocket.

Dinh Rose said training staff and implementing new systems capable of  complying with that provision will be “an operational challenge and a system  challenge.”

The Department of Veterans Affairs, HHS’ Substance Abuse and Mental Health  Services Administration and other groups already have developed a system that  will allow such records to be blocked (Modern Healthcare,  3/25).

Source: iHealthBeat

Physicians Worry That Sunshine Act Could Hinder Innovation

Some health care professionals are concerned that the Physician Payment  Sunshine Act — which requires health care providers to disclose compensation  they receive from medical industry companies — could stifle innovation, MedPage  Today reports (Pittman, MedPage Today, 3/12).

Background

Last month, CMS released a long-awaited final rule on the Physician Payment  Sunshine Act and outlined a timeline for its implementation.

The Sunshine Act — which is part of the Affordable Care Act — requires  medical industry companies to disclose consulting fees, travel reimbursements,  research grants and other gifts that they give to physicians and teaching  hospitals.

Starting Aug. 1, manufacturers of pharmaceutical and biological drugs,  medical devices and medical supplies will be expected to report all transfers of  monetary value over $10 to physicians and teaching hospitals.

All data collected from August through December must be reported to CMS by  March 31, 2014, according to the final rule. The agency will publish the data on  a public website by Sept. 30, 2014. CMS is creating an electronic system to help  facilitate the reporting process.

Physicians will be given a 45-day “review and correction” period to ensure  the accuracy of any disclosures to CMS, according to the final rule (iHealthBeat,  2/5).

Physicians’ Concerns

During an event sponsored by the Healthcare Leadership Council, several  physicians voiced their concerns about the Sunshine Act.

The Healthcare Leadership Council said its members generally are satisfied  with the way the Sunshine Act’s rules were presented but are concerned about the  website that CMS is launching to make the data publicly available.

David Caraway — a physician at St. Mary’s Regional Medical Center in West  Virginia — said that public disclosure of industry gifts is a “disincentive for  innovation and collaboration” and could make some doctors less likely to  participate in educational events or collaborative projects sponsored by  pharmaceutical companies.

Ryan Hohman — managing director of policy and public affairs at the advocacy  group Friends of Cancer Cancer Research — said, “Like it or not, successful  innovation requires commercial entities to be involved, and successful education  of physicians will require all experts to be educating each  other” (MedPage Today, 3/12).

Source: iHealthBeat

Tool Aims To Eliminate 30-Day Readmissions for Heart Failure Patients

Researchers at the Intermountain Heart Institute have developed a tool that aims to eliminate 30-day hospital  readmissions for heart failure patients in part by adding specific information  to patients’ electronic health records, Healthcare IT News reports.

Tool Development

To develop the tool — known as the IMRS-HF — researchers examined the EHRs  of more than 6,000 heart failure patients discharged from Intermountain  Healthcare hospitals between 1999 and 2011.

Researchers then adapted the Intermountain Risk Score, a system used to  predict the mortality rates of trauma patients.

Finally, researchers validated the tool by applying it to 459 patients who  were hospitalized between April 2011 and October 2012.

How the Tool Works

IMRS-HF combines statistical modeling data into a risk score that tells  physicians how likely a patient is to be readmitted to a hospital within 30  days.

The score — which is calculated when a patient is admitted to the  hospital — is included in the patient’s EHR, where it is available as  an alert to help inform physicians’ treatment decisions (Monegain, Healthcare  IT News, 3/11).

Hospitals that used the tool saw a 2.5% decrease in 30-day readmission rates  compared with hospitals that did not use the tool, according to a recent Intermountain Healthcare study.

Benefits and Goals of the Tool

Jose Benuzillo — a senior outcomes analyst at Intermountain Healthcare —  said, “Use of this tool reduces variation in practice between the most  skilled and experienced specialists in cardiovascular care and more general  practitioners who see cardiovascular patients more infrequently” (Hall, FierceHealthIT, 3/11).

In a statement, Benjamin Horne — lead researcher and  director of cardiovascular and genetic epidemiology at Intermountain Heart  Institute — said, “Our next step is to look at ways to integrate this tool into  the planning for all of our heart failure patients so we can reduce the number  of 30-day readmissions and provide better quality care at a lower cost”  (Healthcare IT News, 3/11).

Source: iHealthBeat

Survey Finds Drivers, Barriers to Widespread Health Data Exchange

During the Healthcare Information and Management Systems Society’s annual  conference last week, the National eHealth Collaborative unveiled the results of a survey evaluating stakeholders’ views on health  information exchange, Clinical Innovation & Technology reports (Godt, Clinical Innovation & Technology, 3/7).

Survey Respondents

The 219 respondents to the survey include:

• Hospital executives;
• Leaders of health information exchanges;
• Electronic health record vendors; and
• Other health data exchange stakeholders.

Drivers of Health Data Exchange

When asked about the major factors driving widespread health information  exchange:

• 98% of respondents cited the ability to enhance care coordination;
• 97% cited greater interoperability;
• 95% cited the ability to improve care quality and reduce costs; and
• 91% cited meeting meaningful use requirements.

Under the 2009 federal economic stimulus package, health care providers who  demonstrate meaningful use of certified EHR systems can qualify for Medicaid and  Medicare incentive payments.

Barriers to Health Data Exchange

When asked about the biggest barriers to health data exchange  implementation:

• 96% of respondents cited the cost and pace of required changes;
• 95% cited concerns about financial sustainability, as well as data privacy  and security;
• 94% said concerns about the preparedness of EHR vendors; and
• 93% cited a lack of interoperability.

Role of ONC

When asked about the role that the Office of the National Coordinator for  Health IT should play in facilitating health data exchange governance:

• 67% of respondents said ONC should establish specific technical platforms or  requirements for health data exchange;
• 64% said ONC should disseminate best practices on health information  exchange; and
• 22% said ONC should establish regulations on health data exchange (Durben  Hirsch, FierceEMR, 3/4).

Source: iHealthBeat

Health Industry Groups Express Concern About Meaningful Use Stage 3

Several health care industry groups have submitted comments to the Office of  the National Coordinator for Health IT, expressing concern about the  proposed requirements and timeline for Stage 3 of the meaningful use  program, Healthcare IT News reports (Miliard, Healthcare IT  News, 1/14).

Background

Under the 2009 federal economic stimulus package, health care providers who  demonstrate meaningful use of certified electronic health record systems can  qualify for Medicaid and Medicare incentive payments.

In November 2012, the Health IT Policy Committee asked for public comment about its proposal for Stage 3 of  the meaningful use program. The final rules for Stage 3 are expected to take  effect in 2016 (iHealthBeat,  11/9/12).

American Hospital Association’s Letter

On Monday, the American Hospital Association submitted a letter to ONC stating that it is too soon to  define the requirements for Stage 3.

AHA wrote that hospitals have not had enough experience with Stage 2 rules  and that no products to support Stage 2 currently are available.

AHA recommended that:

• HHS provide funding for a comprehensive external evaluation of the  meaningful use program; and
• The Policy Committee refrain from finalizing Stage 3 recommendations until  it has reviewed the external evaluation and developed a Stage 3 implementation  plan that addresses issues from Stage 1 of the program (Goedert, Health Data Management, 1/14).

College of Healthcare Information Management Executives’  Letter

Also on Monday, the College of Healthcare Information Management Executives submitted a letter urging ONC to reconsider the timeline and  scale of Stage 3 of the meaningful use program.

CHIME recommended that ONC conduct extensive evaluations of what already has  been accomplished through the meaningful use program to determine whether the  proposed Stage 3 criteria are realistic and achievable by 2016  (Healthcare IT News, 1/14).

Federation of American Hospitals’ Letter

On Monday, the Federation of American Hospitals submitted a letter stating that ONC should evaluate current  meaningful use requirements before health care providers invest money in  preparing for Stage 3.

FAH wrote that it believes the current timeline of two years for each  meaningful use stage is a barrier to fully achieving the meaningful use  program’s goals of improving care quality, efficiency and safety (Millman et al,  “Pulse,” Politico, 1/15).

Source: iHealthBeat

HIMSS, Other Groups Submit Comments on Meaningful Use Stage 3

Several health care organizations have submitted comments to the Office of  the National Coordinator for Health IT about the proposed requirements for Stage  3 of the meaningful use program.

Under the 2009 federal economic stimulus package, health care providers who  demonstrate meaningful use of certified electronic health record systems can  qualify for Medicaid and Medicare incentive payments.

Summaries of the organizations’ comments are provided below.

American Academy of Family Physicians’ Letter

Last week, the American Academy of Family Physicians sent a letter requesting that ONC delay implementation of  Stage 3 until 2017.

Glen Stream, AAFP board chair, wrote, “We remain concerned that HHS is  attempting to raise the bar for what constitutes meaningful use before the  majority of physicians and hospitals are able to achieve the meaningful use  Stage 1 or 2 objectives” (Perna, Healthcare Informatics, 1/16).

Association of American Medical Colleges’ Comments

In its comments on Stage 3, the Association of American  Medical Colleges recommended that policymakers:

• Allow physicians and hospitals to avoid Medicare penalties as long as they  meet most meaningful use objectives;
• Not increase the number of requirements that depend upon the actions of  others, such as patients;
• Not increase thresholds for Stage 2 core measures in Stage 3 until there is  evidence that all types of providers can meet Stage 1 and 2 thresholds;
• Make meaningful use requirements flexible enough to work for all medical  specialties; and
• Place all newly proposed Stage 3 criteria in the optional menu, not in the  core set of requirements (Terry, InformationWeek, 1/16).

Healthcare Information and Management Systems Society’s  Letter

On Monday, the Healthcare Information and Management Systems Society sent a letter to ONC, urging the agency to publish the final  rule for Stage 3 “at least 18 months before the beginning of the required  implementation period.”

The letter stated that such a strategy would give developers time to make  needed changes to their technology.

HIMSS also recommended that ONC focus more on helping providers take  advantage of the capabilities established in Stages 1 and 2 (Bowman, FierceEMR, 1/17).

HIMSS EHR Association’s Letter

Also on Monday, the HIMSS EHR Association sent a letter to ONC, stating that the agency should not  begin Stage 3 until at least three years after the start of Stage 2.

The association added that Stage 3 should focus on increasing  interoperability and more extensive use of Stage 2 capabilities (HIMSS EHR Association letter, 1/14).

Texas Medical Association’s Letter

The Texas Medical Association also submitted comments to ONC, requesting  that the agency accommodate physicians whose vendors go out of business or stop  supporting EHR systems already purchased by the doctors.

The association recommended that physicians in such situations be  allowed to meet “only 90 days of meaningful use during two transitional years,  with appropriate documentation of making the transition to a new, certified EHR”  (Conn, Modern Healthcare, 1/16).

Source: iHealthBeat