June 14, 2013 1:07 PM
Posted by: EmilyHuizenga
, HIPAA policies
, HIPAA Privacy Rule
The IRS is being audited, in a sense, by a Congressional subcommittee.
A House committee has called for an investigation of the Internal Revenue Service’s policies, procedures and accountabilities under HIPAA in response to an allegation that the agency unlawfully seized more than 60 million personal medical records affecting more than 10 million patients.
The case strikes a new chord in the world of data security and HIPAA privacy rule, which could make for an interesting case for health IT industry observers. Could an IRS information seizure qualify as a reportable data breach?
The unnamed HIPAA-covered entity, “John Doe Company,” is suing the IRS and 15 unnamed agents for improperly obtaining records in March 2011. According to the complaint, the IRS’ search warrant permitted the collection of tax records of a former employee of the company, but “did not authorize any seizure of any healthcare or medical record of any persons, least of all third parties completely unrelated to the matter.”
“These medical records contained intimate and private information of more than 10,000,000 Americans, information that by its nature includes information about treatment for any kind of medical concern, including psychological counseling, gynecological counseling, sexual or drug treatment, and a wide range of medical matters covering the most intimate and private of concerns,” the complaint states.
Three months after the claim was filed, U.S. House Committee on Energy and Commerce leaders Tim Murphy (R-PA) and Michael C. Burgess (R-TX) penned a letter to the IRS, asking how the agency is “preserving and treating” these records. They also seek an explanation of its HIPAA policies and procedures and how it ensures that protected health information (PHI) remains confidential and private. Requesting written answers no later than June 21, they wrote,
“While HIPAA privacy rules restrict the ability of a covered entity to release protected health information, those rules appear to impose no restrictions on the IRS’s ability to use such information after it is obtained.”
The suit contends that the agents “ignored” and “discarded” IT personnel at the scene, a HIPPA facility warning on the building and company executives who warned them of the privileged nature of the records. Moreover, it claims the IRS agents threatened to “rip” the server containing the medical data out of the building if IT personnel would not voluntarily release it.
Throughout initial reports of the case, spokespeople from the IRS have not responded for the record. The suit alleges that, despite “being put on notice of the illicit seizure,” the agency continues to possess the records.
As the case progresses, it could address a HIPAA compliance question: Do the IRS’ actions improperly impose on safeguards embedded in the HIPAA Privacy Rule? Moreover, do federal attainments of protected medical records qualify as a data breach, requiring “John Doe Company” to report it, and potentially receive fines from the HHS Office for Civil Rights?
Under the final HIPAA omnibus rule, organizations are required to report all incidents of data loss unless the risk of compromise is low. Organizations must consider the nature and extent of the PHI involved, the unauthorized party who accessed the PHI, whether the PHI was actually acquired or viewed, and the extent to which the risk to the PHI has been mitigated when classifying a breach.
According to the U.S. Department of Health and Human Services, there are three exceptions to the definition of a “breach:” unintentional access by a member of the covered entity, inadvertent disclosure from one person authorized to access the PHI to another authorized person, or a case in which the covered entity has a good faith belief that the unauthorized individual to whom the disclosure was made would not have been able to retain the information.
The class action against the IRS seeks $25,000 in compensatory damages “per violation per individual” in addition to punitive damages for constitutional violations, as well as an order to return the records and purge all government databases that store them.
June 13, 2013 3:34 PM
Posted by: EdBurns
, mobile medical apps
The Food and Drug Administration (FDA) created a stir this week when it sent a letter to app developer Biosense Technologies asking the company why it has not sought clearance for its uChek Urine Analyzer app. It appears that this is the first instance of the FDA taking any sort of regulatory action against a specific mobile medical app in quite some time.
What’s notable about the letter is not so much the fact that this particular app caught the attention of the FDA. It would be hard to argue that existing medical device regulations should not apply to this app, which assesses glucose, urobilinogen, pH, ketone, blood, protein, bilirubin, nitrite, leukocyte and specific gravity in urine. These functions put the app squarely in the realm of medical devices.
What is really noteworthy here is the fact that the FDA is pushing ahead with regulatory actions even in the absence of finalized regulatory guidance. It has been nearly two years since the FDA issued its draft guidance on mobile medical device regulation. Since that time there has been an explosion in the number and functionality of mobile apps. It’s unclear how much of the original guidance is still relevant to today’s industry.
This is why it is hard to see the FDA taking firm action against any mobile app developer (the letter sent to Biosense is a “It Has Come to Our Attention” letter, which traditionally doesn’t carry as severe consequences as “Notice of Violation” letters with which pharmaceutical companies and clinical researchers are familiar). After all, how can the industry know exactly what’s out of bounds when the main regulatory agency won’t draw the lines?
In the mobile medical device regulation congressional hearings held back in March, Christy Foreman, director of the FDA’s Office of Device Evaluation, said finalized guidance should come before the end of the fiscal year, which ends in September. But pushing off final guidance until then would be too long, particularly given how long it has been since the industry received any form of guidance.
During those hearings, witnesses delivered testimony in which they repeatedly said they aren’t as worried about potential regulatory burden as they are about uncertainty. The Biosense case is a perfect example of the consequences of that uncertainty. In the absence of firm guidance the company developed an app that has some novel functions. Now it is facing regulatory pushback after the fact.
Issuing the final mobile medical device regulations as soon as possible could head off similar problems in the future and rekindle app development from companies waiting for them. In the end, patients will benefit, faster.
June 12, 2013 2:53 PM
Posted by: DonFluckinger
, patient engagement
, patient portal
Never mind the likely HIPAA violations that will occur when physicians and nurses start using their smartphones and iPads to message each other about patients, or worse yet, messaging patients directly over such non-secure channels: It could also be ratcheting up your malpractice risk.
In a recent story from the athenahealth 2013 user conference, Carrie Peacock, administrator for Pulaski Surgery Clinic of Little Rock, Ark., said that malpractice concerns, on top of privacy and security issues, keep clinicians from texting or emailing patients as a part of policy.
The story behind the policy probably sounds familiar to many practitioners struggling with the same issue in the age of smartphone-connected physicians and patients. She said the clinic developed it after it was discovered one practitioner had considered permitting a patient to use his smartphone text app to send a picture of a rash to him for evaluation.
While meaningful use stage 2 promotes such electronic patient engagement outside the four walls of the physician’s office, that won’t fly — and neither does text messaging, email or social media chats related to patient care — she said. Such ad hoc communication outside the electronic medical record increases malpractice risks, according to the advice of the clinic’s insurance carrier.
Even if they were secure to a degree that satisfied HIPAA compliance, such communications are difficult to remember to document in the patient record, especially if they fall on a weekend when the practitioner is away from the office and might forget about them the next time he comes into the office.
Pulaski’s answer was a secure patient portal through which patient communications are now routed, all captured and associated with the correct patient files. Not only does it help set the clinic up for meaningful use-grade patient engagement and HIPAA compliance, it has other side benefits.
“We have a lot of patients that ask for refills” of prescriptions over the portal, Peacock said. “We also have a lot of drug-seekers, I’m sure all of you who prescribe narcotics do as well. We can see the patterns, [such as] ‘Wow, she just sought five messages for refills of her narcotic in the last week.’ It was more on the practice to make sure that information was put in when patients were calling…[the patient portal's] been great in that aspect.”
June 11, 2013 11:02 AM
Posted by: adelvecchio
, big data
, supply chain management
A group of data analytics experts will meet in Washington, D.C., to explore how to best use predictive analytics to benefit patients. The Parkland Center for Clinical Innovation, based in Dallas, received a grant from the San Francisco-based George and Betty Moore Foundation to form the collaboration to improve patient outcomes and costs.
Analytics has been suggested before as a way to improve the healthcare system. Allowing more people to access a greater amount of information is only useful to a point because receiving too much information can be overwhelming. Determining what sets of data are worth analyzing and what data can be reviewed more broadly is one way to focus healthcare analytics. Ideally, analytics data will present a problem and a solution to a particular aspect of patient care. If not, the data may not be worth analyzing.
Analytics is affecting the healthcare supply chain, in addition to its uses for studying patient data. Analytics systems can study materials shipped a hospitals and determine ways to cut costs or ship more efficiently. An analytics system can also restrict hospital employees from ordering products from companies with which the hospital doesn’t have a contract, which saves the hospital money.
An Institute for Health Technology Transformation (iHT2) report cites the combination of EHRs and data analytics as the best way to use big data in healthcare. Deploying this strategy is a timely issue because an Oracle poll says healthcare organizations are gathering 85% more data than they did two years ago. Properly leveraging big data through analytics can help the healthcare industry earn more than $300 billion yearly, iHT2 estimates.
“Use of predictive analytics in routine clinical care holds great promise. It could lead clinicians and health systems to zero in on discrete subsets of patients, dramatically reducing resource consumption while simultaneously improving patient outcomes,” Gabriel Escobar, M.D., senior research director at the Kaiser Permanente Northern California division of research and co-leader of the session, said in a release about the new analytics collaboration.
June 7, 2013 1:36 PM
Posted by: EmilyHuizenga
, Health care reform and federal initiatives
While most healthcare providers think of clinical data when it comes to crafting HIPAA compliance strategies, Electronic Funds Transfer (EFT) and Electronic Remittance Advice (ERA) processes are affected by updated HIPAA laws, too.
The Workgroup for Electronic Data Interchange (WEDI) recruited 15 healthcare professionals to pen its latest white paper, “EFT and ERA Enrollment Process,” a tool for health plans, providers and clearinghouses. The guide outlines EFT and ERA regulations in great detail, citing specific examples for industry leaders to follow as they implement process changes under HIPAA.
The Affordable Care Act of 2010 requires Medicare-eligible providers to identify an EFT standard, develop EFT and ERA operating rules and creating usage requirements of EFT by 2014. This, according to the authors, effectively mandates them for all HIPAA-covered entities.
WEDI’s EFT Subworkgroup compiled information to clarify the current EFT and ERA standards and proposed operating rules. They offer best practices for implementing and utilizing the requirements. A few notable standards from the process include:
- There is a maximum set of allowable data elements that can be included on an EFT enrollment form. What’s more, there’s a specific list of “controlled vocabulary” for them.
- The EFT Enrollment Rule also includes a requirement that the paper-based forms and electronic screens follow a “master template” that define format, flow, field names and descriptions as well as the overall data set.
- The health plan must provide written instructions for how to complete the form, exact address or email address for delivery of the paper form (if applicable) and contact information (including telephone number and email address) at the health plan.
- Payers that provide EFT today have an EFT Enrollment form they use to enroll providers for EFT. It can be in paper form, a Web template or other electronic format. Once the provider completes the information and submits it to the payer, the payer will then validate the information to ensure that the submitter of the form is a valid provider and is eligible for receiving EFT payments.
- The ERA Enrollment Rule specifies that all health plans and their respective agents must implement and offer any trading partner (e.g., a healthcare provider) an electronic method and process for collecting the data set.
- Some payers also require that the submitter provide a copy of a voided check or a bank letter that can be used to validate the account information. They may also require the signature of the financial officer of the organization to ensure the payer is being properly authorized by the provider to send EFT transactions to that account.
- The enrollment process for ERA involves different information than what is needed for EFT; there may be more systems involved in setting up the process for a provider to receive the ERA.
June 6, 2013 2:41 PM
Posted by: EdBurns
, EHR adoption
, Meaningful use
To look at the recent EHR adoption numbers from the government, you’d think all is going well in the health IT world. But a couple recent surveys suggest this is not entirely the case.
On May 22 the Department of Health and Human Services (HHS) released data showing that adoption of EHRs by hospitals and physicians has more than doubled since 2012. More than 50% of physicians and 80% of hospitals are now using EHRs.
In a release announcing the numbers, HHS Secretary Kathleen Sebelius said, “We have reached a tipping point in adoption of electronic health records…Health IT helps providers better coordinate care, which can improve patients’ health and save money at the same time.”
No doubt significant progress has been made in getting providers to adopt EHRs, but that may not be the whole story. On May 31, print and online publication Physicians Practice released its own survey data showing that, while adoption of EHRs has indeed spiked in recent years, providers’ satisfaction is actually heading in the opposite direction. Fewer than 54% of technology users reported being satisfied with their systems. That number is down from the 63% who said they were satisfied in the same survey two years prior. And 14% of providers who attested to stage 1 meaningful use said they don’t plan on continuing to stage 2.
Then there is the study published this week in the Annals of Internal Medicine. It showed that only 10% of physicians who used EHRs met all meaningful use measures in 2012. Many of the physicians who participated in the study used their EHR systems for relatively simple tasks like viewing labs, e-prescribing and recording clinical notes. Respondents largely said their EHR systems were difficult to use for more advanced functions.
These two surveys suggest that adoption numbers tell only part of the story. It’s clear that the healthcare industry is pushing ahead with EHR adoption, and that the pace of adoption jumps consistently. But, as the researchers behind the Annals study wrote in their conclusion, “Using EHRs as simple replacements for the paper record will not result in the gains in quality and efficiency or the reduction in costs that EHRs have the potential to achieve.”
If current trends continue, it may not matter how many physicians adopt EHRs. If doctors are unwilling to use technology for the tasks necessary to improving quality and lowering costs the meaningful use programs will have failed to achieve its goals. Therefore, measuring success solely in terms of adoption numbers may be shortsighted.
June 5, 2013 3:15 PM
Posted by: DonFluckinger
HIPAA healthcare data
, information security
At the PHI Protection Workshop spring forum, presenter and data security firm Santa Fe Group CEO Catherine Allen acknowledged that protecting healthcare data involves more than just battening down the hatches against external cybersecurity threats such as hackers, terrorists and employees who sign on to jobs just to access and steal data.
However, those threats to providers will likely increase in the coming years, she said, as EHR implementations mature across most organizations and these “bad actor” employees realize the value in exploiting health data.
Allen drew parallels to the financial industry, whose data systems “grew up” some years ago. Healthcare can learn lessons from the financial sector as it follows down the same IT systems evolution path. First, she said, bankers cooperated to start a database of bad actor employees that amounts to a blacklist employers can check during the pre-hire background screening. Healthcare would benefit from such a database, too.
Also, she said, financial institutions typically see regulators as partners who help them better manage security risks, as opposed to adversaries as many healthcare institutions see them. She said that corporate compliance leaders view regulatory advisories as helpful tips for surviving audits or locking down data from the bad guys and not onerous busywork.
Speaking of the bad guys, Allen said healthcare information security leaders should stop thinking of hackers as miscreant teenagers in mom and dad’s basement attempting to cause mayhem. Although that does happen on occasion, she said more frequently hackers are paid employees of organized crime syndicates who methodically break into systems in order to steal salable data.
And then there’s the terrorists, who aim to attack infrastructure. While healthcare isn’t apparently a common target yet for these groups, it could be in the near future, as data systems go online and attention is brought to their importance through initiatives such as President Obama’s recent cybersecurity executive order.
“They hire people, they look like a regular business would look for certain skill sets — to hack,” Allen said. “They interview for superior computer science skills and information hacking skills.”
June 4, 2013 11:07 AM
Posted by: adelvecchio
, Kathleen Sebelius
, sunshine act
The Department of Health and Human Services announced the release of new data at the Health Datapalooza conference. The conference together brings government, non-profit organizations and other businesses to explore how open data can improve transparency in healthcare.
“A more data driven and transparent health care marketplace can help consumers and their families make important decisions about their care,” Kathleen Sebelius, HHS director, said in a release. Some of the data released includes information about the EHR habits of 146,000 physicians and the average cost of 30 various hospital outpatient procedures.
Price transparency has been a recent focus on the part of HHS. Last month, the federal department released cost data of the 100 most common inpatient procedures. The data shows that there is “significant variation across the country and within communities in what hospitals charge for common inpatient services.” Providing patients with pricing information gives them another variable to consider when choosing where to receive their care. Despite the recent HHS releases, price transparency is still lacking according to a Health Care Incentives Improvement Institute report, which graded states on their transparency. Only two states have adequate transparency, while 29 have no transparency at all and received “F” grades.
The Centers for Medicare and Medicaid Services (CMS) has also announced a regulation to support payment transparency. The physician payment “sunshine” act, a provision of the Affordable Care Act, requires vendors and physicians to fully disclose their financial relationship. The rule will allow the public to view payment details between providers and vendors. All payments or transfers of value must be reported to CMS, who will release the data to the public in September 2014.
May 31, 2013 10:41 AM
Posted by: EmilyHuizenga
, ICD-10 implementation
Though methodologies may differ, all HIPAA-covered healthcare entities have one thing in common when it comes to implementing the International Statistical Classification of Diseases and Related Health Problems, 10th Edition (ICD-10) codes: a deadline of October 1, 2014. Preparation varies widely among providers, but the authors of a white paper issued by revenue cycle management consultant Pyramid Healthcare Solutions offers some advice aimed at benefitting all organizations.
First, healthcare organizations have to realize the new ICD-10 system will affect more than just coding, reimbursement rates and billing; it will span the reach of EHR systems and corresponding data and analytics technologies, too. Keeping in mind that late or shallow adoption strategies can back up payment and take a toll on the revenue cycles, providers are best off devising an action plan sooner rather than later.
To get started, organizations should conduct an extensive assessment of clinical documentation processes to seek out situations or diagnostic cases that need more data for an appropriate ICD-10 code to apply. Thoughtful process evaluations like these can facilitate successful ICD-10 implementation, the authors said but also make the transition more than just a compliance mandate.
And to ensure the codes are being used accurately and effectively, providers will have to take care to train both physicians and coders to master the new system. This will require resources, labor and time – and hospitals should be prepared to offer them. The time it takes to train users will cut down on errors later down the line, limiting workflow disruptions and beefing up reimbursements.
Lastly, like most new health IT initiatives, providers can’t overlook the importance planning to troubleshoot issues after go-live. ICD-10 may cause software errors during the first few months of implementation, and providers are encouraged to have procedures in place to make up for the loss in productivity and cash flow the new codes might instiagate.
Whatever the precautions, the transition to ICD-10 – featuring more than 10 times as many codes as the current ICD-9 – isn’t going to be easy, but plenty of resources seek to ease the strain.