“As the federal government prepares to spend up to $27 billion in stimulus funds to promote electronic medical records, a health technology industry survey suggests that a number of hospitals, health clinics, and insurance firms are violating federal security rules on patient data and putting sensitive health information at risk,” The Center for Public Integrity reports. “The November survey by the health technology trade association Healthcare Information and Management Systems Society (HIMSS) found that one in four of the 196 health organizations that responded do not conduct a formal risk analysis to identify security gaps in electronic patient data. … failure to conduct a formal risk analysis is a violation of the Health Insurance Portability and Accountability Act (HIPAA), which became law in 1996.”
Susan McAndrew, deputy director for health information privacy at HHS’s Office for Civil Rights, “said the agency hasn’t issued any fines because the goal of enforcement is to nudge doctors, hospitals, and insurers into compliance, not to punish them.” Industry insiders “say there have been few patient data security cases at HHS because the agency relies on media reports, complaints, and referrals from other agencies to learn of potential HIPAA rules violations, which has not generated a wide number of leads or investigations” (Eaton, 1/19).
Source: Kaiser Health News
If your patient records aren’t already stored digitally, they are likely to be digitized soon. There is a tremendous push by the federal government—as well as by some private payors and self-insured employers—to get all healthcare providers wired in the near future, in order to better coordinate patient care, improve outcomes, and “bend the cost curve” all at the same time. There are some financial incentives in play to achieving “meaningful use” of “certified” EHR systems; those terms are to be defined in federal regulations later this year, but the outlines of those definitions are already pretty clear.
Once all that patient data—or as it is known in HIPAA-speak, protected health information (PHI)—is stored electronically, it becomes exposed to potential data breaches. In late September, two sets of federal regulations took effect that address the way in which PHI should be maintained, and the steps that should be taken to prevent a data breach and to notify the government and affected individuals in the event there is a data breach.
Compliance with these rules— issued under authority of the HITECH Act by the US Department of Health and Human Services (HHS) with respect to healthcare providers, and by the Federal Trade Commission (FTC) with respect to EHR vendors and other similar third parties—requires affected practices and businesses to assess and update their data privacy and security policies and procedures, as well as train all affected staff accordingly.
The exposure in case of violation is significant, both in terms of fines and penalties and in terms of bad publicity—certain data breaches require notice to potentially affected individuals via the general media in addition to notices required to be filed with the regulators. The new rules—I call them Son of HIPAA— are layered on top of existing HIPAA privacy and security rules: the FTC’s Red Flags Rule, regarding identity theft protections to be put in place by any “creditor” (which includes healthcare providers not paid in full at the time of service), and state privacy rules. While HHS and FTC took some pains to harmonize the new rules so that patients will not be bombarded with multiple data breach notifications about the same incident, for example, the other applicable rules out there have not been harmonized.
The key concept in the new breach notification rules is that encryption of patient data will eliminate the need to notify patients and the federal regulators in case of an inappropriate release of data. Such a release, if the data is encrypted (ie, unusable, unreadable, or indecipherable), is not considered a breach. Encryption is not required, though, and each affected entity must engage in a cost-benefit analysis before deciding whether to encrypt all affected data.
Another important aspect of the rule is the concept of harm—the regulators decided that not every data breach should trigger all of the notice requirements, just breaches that “pose a significant risk of financial, reputational, or other harm to the individual.” For example, if an employee of a healthcare provider accesses a patient record inappropriately, but immediately realizes his or her mistake, and exits the record quickly and does not retain any PHI, that is not a reportable data breach.
Finally, “business associates” under HIPAA are now required to implement policies and procedures to maintain privacy and security of PHI, parallel to those that have been required of “covered entities” under HIPAA since the beginning. All business associate agreements and notice of privacy practices (NPPs) will have to be updated to account for the new requirements before February. Healthcare providers that wish to distinguish themselves should consider revising their NPPs to highlight the ease with which they will make copies of records available to patients. This is a bone of contention for many patients, and ensuring that patients’ rights to their records are easily exercised () could be a way to build goodwill among patients and potential patients.
By necessity, this is an extremely brief introduction to a very involved set of regulations. My hope is that you now have a sense of how important it is to be sure that your operations are fully compliant with the regulatory requirements before full enforcement and random field audits begin in February 2010.
Source: KevinMD
The Federal Trade Commission said it is reviewing concerns that digital copy machines were retaining sensitive information and is reaching out to retailers and government agencies to safeguard users’ private data.
FTC Chairman Jon Leibowitz said in a letter (pdf) last week to Rep. Ed Markey (D-Mass.) that the agency has also launched an education campaign around informing users of copy machines that information such as financial and health data can be retained on hard drives. Machines that retain data can be accessed by identity thieves, particularly as copiers are resold without wiping clean hard drives.
“Like you, we also are concerned that personal information can be so easily retrieved by copiers, making it vulnerable to misuse by identity thieves,” Leibowtiz wrote.
The privacy implications of digital copy machines stem from a report by CBS that showed copiers were essentially acting as computers, with hard drives data being circulated among several parties as copiers were resold. Markey had called for an investigation into the issue.
“I am also pleased to learn that the FTC is reaching out to copier manufacturers and resellers to ensure that all parties are aware of the privacy risks associated with digital copiers while helping to educate the public about this important issue,” Markey said.
Source: The Washington Post
On Wednesday, the Medical Group Management Association sent a letter to HHS’ Office for Civil Rights asserting that the new disclosure requirements under the HITECH Act would be “extremely difficult to achieve without an enormous outlay of resources,” Health Data Management reports
MGMA sent the letter in response to a recent request for information from OCR, which is developing a rule to address the disclosure of protected medical information under the HITECH Act (Goedert, Health Data Management, 5/19).
The HITECH Act, part of the 2009 federal economic stimulus package, strengthens the HIPAA privacy rule. The act requires all health care providers, payers and their business associates to account for the disclosure of protected patient data included in an electronic health record, even if the information is disclosed for health care treatment or billing purposes (Cadet, CMIO, 5/19).
MGMA Survey
In the letter, MGMA cited a recent survey it conducted among its member medical groups that use EHR systems.
Out of the 369 medical groups that participated, the survey found that:
In addition, 55% of the survey respondents said meeting the new HIPAA requirements would be “extremely burdensome” on their practices.
MGMA Concerns
MGMA wrote that providing an account of all health information disclosures would require “a substantial amount of manual collection from multiple data sources.”
William Jessee, MGMA president and CEO, said the requirement “may be such a significant impediment for physician practices” that it could hinder EHR adoption (Conn, Modern Healthcare, 5/20).
MGMA urged OCR to consider revising the disclosure requirements and said it would continue working with the office to ensure patient privacy while promoting EHR adoption (CMIO, 5/19).
Source: iHealthBeat
Physicians and other health care providers increasingly are turning to Web-based communication tools such as videoconferencing applications, e-mail and instant messages to develop closer relationships with patients and provide them with more comprehensive treatment information, ComputerWorld reports.
Some physicians also are looking to connect with patients through social networking websites such as Facebook and Twitter. Health care providers use the online portals to disseminate health information and establish online communities that provide patients with a platform to share their experiences.
Concerns Over Privacy, Security
Neal Neuberger, executive director of the Institute for e-Health Policy, said doctors who use social networking websites should be aware of potential liability issues that could arise over the privacy and security of patient medical data.
Some experts recommend that physicians who use Web 2.0 tools should focus their online discussions on broad health topics rather than patient-specific medical information
Source: (Mearian, ComputerWorld, 5/20).
Seventeen months after launching a pilot project to test whether Medicare beneficiaries will use personal health records, HHS is going back to Utah and Arizona to ask PHR users what they think about the systems.
HHS last week published official notice in the Federal Register of its intent to conduct an evaluation this fall of the pilot program, including a survey of 500 Medicare beneficiaries to assess user satisfaction, as well as barriers or facilitators of PHR use.
Mathematica Policy Research has been hired to conduct the evaluation and survey.
According to the HHS statement of purpose in its notice, “Current PHR business models represent broad and varied uses, from disease management to health promotion, with sponsors consisting of commercial vendors, heath plans, employers and healthcare providers. We know very little about why consumers, and specifically Medicare beneficiaries, elect to use PHRs and what functionality they want from a PHR.
“Understanding these needs will be critical if HHS and the Centers for Medicare & Medicaid Services are to pursue PHRs as a tool to empower consumers to manage their health and have the capability to link to their provider’s EHR,” according to the HHS statement.
In January 2009, the CMS launched what it called the Medicare Personal Health Record Choice Pilot program in Utah and Arizona, the first-of-a-kind pilot program to offer a choice of PHRs to Medicare fee-for-service patients. Medicare beneficiaries could choose a PHR from any one of four vendors: Google Health, HealthTrio, NoMoreClipboard.com and PassportMD.
According to a CMS spokesman, 1,362 beneficiaries had signed up for PHRs by the end of March 2010.
According to the recently released results of a survey conducted in December and January by the not-for-profit California HealthCare Foundation, just 7% of Americans used a PHR in 2009, up from 2.7% in 2008.
In April, HHS announced it was commissioning a study of public attitudes about privacy and security in health information exchange. RTI International will conduct that survey. A final report is expected Oct. 1.
Source: ModernHealthcare.com
“When I add new procedures to my practice, it adds new life to my practice,” Westmoreland said. “Honestly, it’s adding time and effort to our procedure right now, but I hope that that will be time invested for benefit down the road. We want to be able to offer a full spectrum of minimally invasive surgery. If somebody’s doing it, we want to be doing it Murfreesboro.”
Source: Nashville MedicalNews
These days, many health centers—from smaller clinics to the largest hospitals—are focused on measuring patient satisfaction. Beyond the normal desire of any business to keep customers happy, health centers that get government funding are required to deploy regular surveys to gauge how patients rate their services. Scores depend on the quality of care the entire staff provides, from operators and administrators to nurses and physicians, and is often measured using metrics, such as how long patients must wait to be treated or how many transfers each patient must go through when calling their physicians or administrative offices. After all, nobody wants to keep dialing various numbers or wait a long time on the phone to make an appointment or inquire about a bill.
Such specific measurement mechanisms obviously pressure practices to act efficiently. Unified communications and voice-over-IP (VoIP) technologies can help healthcare IT organizations make service improvements in these areas while realizing cost savings. These systems let clinics serve patients faster by enabling quick and easy call transfers among buildings or departments while providing robust information about callers; for example, a UC system can provide screen pops in which administrators, doctors, nurses and operators can post comments to the notes section as part of the call record. Unified messaging can enhance employee productivity via dozens of time-saving features and by efficiently recording patient data, making paper trails a thing of the past. These systems also help the organization make up-to-the-minute staffing decisions based on logging and reporting on call volume.
No wonder, then, that when healthcare organizations look to make technology upgrades, the phone system is often a prime target. In this InformationWeek Analytics Best Practices report, we’ll cover best practices for health clinics and medical practices looking to choose and implement UC systems that will improve patient satisfaction while saving money.
Source: InformationWeek
Recent studies have found that consumers increasingly are turning to the Internet for health information.
In addition to health care Web sites, such as WebMD, consumers are turning to user-generated health content, such as physician and hospital rankings, blogs and chat groups.
While the Internet’s influence on consumers’ health care decisions is outpacing traditional channels, such as television, radio and print media, physicians still are the biggest influence on consumer health behavior, according to Monique Levy, senior director of research at Manhattan Research.
In an iHealthBeat Special Report by Mina Kim, experts discuss the growing use of the Internet for health information.
The segment includes comments from:
Google and Microsoft’s Bing recently refined their search engines to provide consumers with more credible and relevant information
Source: iHealthBeat
Primary care physicians spend a significant amount of time answering e-mails and performing other tasks that provide them with limited reimbursement, according to a new study conducted by evaluating electronic health records, the Washington Post reports.
The results were published in the New England Journal of Medicine (Brown, Washington Post, 4/29).
Study Details
Richard Baron — an internist in a five-provider practice in Philadelphia with roughly 8,500 patients — conducted the yearlong study using his practice’s EHR system to track the average daily workload of a primary care physician (Rubin, USA Today, 4/29).
Baron found that on an average workday, each primary care provider in his practice:
Reimbursement Issues
Baron said the results show the need for a new payment method that accurately reimburses primary care physicians for the amount of care they provide.
Baron acknowledged that reimbursing for each phone call or e-mail a physician handles would be impractical, but he suggested that adopting capitation — in which physicians would receive an annual lump sum per patient — would better cover the amount of time primary care physicians actually spend on patients (USA Today, 4/29).
EHRs: A Possible Remedy?
Some experts suggest that EHRs could help primary care practices improve care coordination and workflow efficiency, thus reducing the time burdens on physicians.
National Coordinator for Health IT David Blumenthal said the study results highlight “the enormous strain” on primary care doctors but also show “a pathway toward escaping at least some of those burdens; the electronic health record combined with changes in workflow and payment” (Lohr, New York Times, 4/28).
Source: iHealthBeat
MGMA Supports ICD-10 Testing With Outside Organizations
July 30, 2013
Report: Many EHR Users Set To Replace Systems Within the Next Year
July 30, 2013
Providers, Vendors Urge Congress To Delay Meaningful Use Stage 2
July 30, 2013
Many Doctors May Find Meeting ‘Meaningful Use’ Requirements a Challenge
June 28, 2013
When it Comes to ICD-10 Physician Documentation: Collaborate and Educate
June 28, 2013
The Slow Crawl Toward Improved EHR Usability and Interoperability
June 28, 2013
Efficient Patient Communication and Engagement
June 13, 2013
ONC Issues Guidance on Stage 2 Transition of Care Requirements
May 31, 2013
Drugmakers Leverage Doctor, Patient Data To Market Their Products
May 31, 2013
Consumer Organizations Defend Meaningful Use Program
May 31, 2013
