Meaningful Use, the Technology, the User or the Policy?

The gloves are off and many are now shouting their distain for Meaningful Use from rooftops. Like many before it, the policy was bred out of hope for positive change in U.S. healthcare system, but has it done more bad than good?  30 billion dollars devoted to creating healthcare IT standards and computerizing healthcare organizations in an attempt to forge the digital pathway for the American healthcare system and to what avail, many are asking? I think the bigger question is why is it so difficult for this industry to go digital, why is it even a debate, every other industry is digital so why then, is taking our #1 Gross National Product and making it accountable to the digital standards of other industries so difficult?

Many want to go back to the beginning, to review the history of federal IT policy, some want to blame the vendors who create the EHR software and it’s inefficiencies, while others are content to point out that in order to make a technology successful you must first utilize it in the intended way, pointing their set of fingers at healthcare providers who implement technology but do not utilize it meaningfully.

Two recently published articles, “EHRs continue to be a challenge to HHS, published by, Healthcare IT News, and Meaningful use: Born: 2009—died 2014?, published by, Wachter’s World, address the above mentioned issues, however not in their entirety. This is not an easy battle to win but it is a fight worth having, none of these challenges are singularly to blame, but each are responsible in part to hindering the intended goal of transitioning a historically paper world of healthcare to the digital age. The best approach to reaching this common goal is to elicit consultants who have successfully obtained this feat and make it their mission to implement best practices. In the words of Heraclitus, “Big results require big ambitions.”

Contact EHR & Practice Management Consultants, Inc. (www.ehrpmc.com) at 1-800-376-0212 or contact@ehrpmc.com for help in optimizing your EHR system by having our experienced consultants provide best practices on usage for your particular EHR system.

OIG: Paying Close Attention To HIPAA Security In Meaningful Use Audits

According to the recently released work plan of The Office of the Inspector General will continue to pay closer attention to the healthcare industry’s use of electronic health records – in particular HIPAA security, EHR incentive payments and fraud.

As digitization continues to be a priority so does it’s appropriate implementation and use. In a response to ensure IT security, compliance and electronic health records, the OIG has requested a $400 million FY2015 budget, an increase of $105 million and creating another 284 fulltime jobs to enforce the OIGs audits and reviews.

“Important changes are taking place across the healthcare industry,” wrote Daniel R. Levinson, U.S. inspector general, in OIG’s 2015 work plan justification. These changes, Levinson continued, include “an emphasis on coordinated care and an increased use of electronic health records. OIG will need to adopt oversight approaches that are suited to an increasingly sophisticated healthcare system and that are tailored to protect programs and patients from existing and new vulnerabilities.”

So how does that translate to healthcare providers and healthcare organizations? Practices can expect closer scrutiny for HIPAA privacy and security compliance. Penalties have increased significantly under the new regulations. Practices can face fines up to $50,000 per occurrence—quickly offsetting or negating the EHR incentives they received.

Physicians can no longer afford to be relaxed about HIPAA compliance. They must have sound privacy and security protocols in place to protect against violations that could result in severe penalties.

A prime example occurred in July 2009, when a physician and two former employees of an Arkansas medical center pleaded guilty to misdemeanor federal charges that they inappropriately accessed the medical records of a local television anchor, thereby violating the HIPAA privacy rule. Each faces a maximum penalty of one year in prison, a fine of up to $50,000, or both.

Meaningful Use Audits are on the Rise!

The HHS Office of Inspector General has stated the OIGs intent to review electronic health records meaningful use incentive payments and the security of electronic health records under the program in 2015. With the recent ask of a $100 million increase in budget and the addition of 284 full-time employees, this should come as a big red warning flag to those providers who either intentionally or unknowing provided inaccurate attestation information in previous years. Although the reviews have not been coined under the term “audit”, the OIG did state that, “We will review Medicare incentive payment data from 2011 to identify payments to providers that should not have received incentive payments (e.g., those not meeting selected meaningful use criteria),” according to HHS OIG’s work plan for 2015. “We will also assess CMS’s plans to oversee incentive payments for the duration of the program and corrective actions taken regarding erroneous incentive payments.” Medicaid incentive payments also will be reviewed.

The scope of the OIG reviews is not clear. A spokesperson says OIG auditors will conduct the reviews and share findings with CMS.

Although the “scope” may not be clear, what is clear is that those providers who reported erroneous data or are not prepared to provide actual data to support their meaningful use attestation and received incentive payments, will be expected to return and the incentive payments and could also be fined.

It is important to hire an expert in Meaningful Use Audits to Conduct a Mock Audit to ensure your information is accurate, it may not be too late to resolve what could potentially be an issue, however once the audited or the appeals process it may take up a great deal of time.  If you would like to conduct a Mock Audit or facing a  Meaningful Use Audit or Appeal Be contact EHR & Practice Management Consultants, Inc. at 1-800-376-0212 or contact@ehrpmc.com.

HIPAA Compliant v. Mobile Devices

The HIPAA Privacy Rule provides federal protections for individually identifiable health information held by covered entities and their business associates and gives patients an array of rights with respect to that information. At the same time, the Privacy Rule is balanced so that it permits the disclosure of health information needed for patient care and other important purposes.

The Security Rule specifies a series of administrative, physical, and technical safeguards for covered entities and their business associates to use to assure the confidentiality, integrity, and availability of electronic protected health information.

The description above may seem black and white but the recent rise in theft of healthcare data has revealed gray areas that have caused some debate amongst the medical security community as to what safeguards are to be taken in order to assure your providers and staff are HIPAA compliant. Recently Beth Israel Deaconess levied a hefty fine, when a provider’s unencrypted laptop was stolen that contained patient information. This incident was responsible for leaking sensitive information of more than 41 million patients. This is clearly a black and white case of negligence, which is why the fine was levied, however what if the laptop was encrypted and the owner was robbed at knife point and forced to disclose the password information? Not so black and white, right? According to a recent robbery reported by Boston’s Brigham and Woman’s Hospital, this is exactly what happened to one of their physicians, creating an interesting interpretation of the HIPAA Privacy Rule and Security Rule. This most incident reported the theft of two devices that contained patient related information on 999 patients.

The armed robbery, which took place Sept. 24, was reported to the Boston Police Department, who then issued a community alert six days later. According to the police department, the physician was robbed at knifepoint and then bound to a tree. The stolen items have not yet been recovered.

“We apologize for any inconvenience and deeply regret any concern this situation may cause our patients,” said Cedric Priebe, MD, chief information officer at BWH, in a Nov. 17 press statement. “We have no knowledge that the information on these devices has been accessed, and we are reviewing related policies and procedures in an effort to determine if there are steps that may decrease the likelihood of this type of incident in the future.”

The bigger question of whether encryption alone covers a healthcare organization responsibility to the HIPAA Security Rule. According to the Department of Health and Human Services, the answer is No, encryption alone not enough. HHS states that the HIPAA Security Rule involves, “an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key … and such confidential process or key that might enable decryption has not been breached.”

This is the third HIPAA breach for BWH, according to data from HHS – and the third theft. BWH, is one of the largest healthcare organizations in Massachusetts and one of the most respected. If it can happen here, it can happen anywhere. With the advances of technology and sharing of information come the responsible to protect that information, the government has defined how that information is to be protected but it is responsibility of the Healthcare organization to safeguard patient sensitive information and put the proper precautions and mitigation plans in place to ensure security. Consult with a Security Expert today at EHR & Practice Management Consultants, Inc. (www.ehrpmc.com) by contacting us at 1-800-376-0212 or contact@ehrpmc.com, even if you have completed a Security Assessment and have a Mitigation plan already in place, it’s better to have the assurance from a professional.

 

EHR Data Continues To Save Lives

In the midst of all the MU Stage 2 controversy comes evidence that EHRs are still having positive impacts on patient health outcomes. In May of this year Healthcare It News released an article with data provided by the Department of Health and Human Services, reported 15,000 lives and $4B saved so far from HAC reductions.

These reductions in adverse drug events, falls and infections have prevented nearly 15,000 deaths, avoided 560,000 injuries and saved as much as $4 billion in health spending over the same period.

“We applaud the nationwide network of hospital systems and providers that are working together to save lives and reduce costs,” said outgoing HHS Secretary Kathleen Sebelius. “We are seeing a simultaneous reduction in hospital readmissions and injuries, giving patients confidence that they are receiving the best possible care and lowering their risk of having to be readmitted to the hospital after they get the care they need.”

A more recent study by researchers in the U.S. and United Kingdom published by CMAJ Open analyzed 11.5 million electronic patient records, identifying a jaw dropping number of undiagnosed cases of diabetes. Using an algorithm that analyzed biomedical data, researchers were able to identify that off the total 1,174,018 patients with diabetes, 63, 620, had undiagnosed diabetes. Diabetes kills one person every six seconds and afflicts 382 million people worldwide, according to the International Diabetes Federation, a staggering number indeed. If the only positive outcome of EHRs were to identify diabetes patients worldwide and in return provide the treatment they require in order to save their life, it would be worthwhile. Suffice being inundated with negative commentary on EHRs and Meaningful use in the last few months, I believe this is enough evidence to at least quiet the cynics and chalk this one in the win category.

If you need assistance with optimizing your EHR or andy other EHR needs please contact EHR & Practice Management Consultants, Inc (www.ehrpmc.com) for additional assistance at 1-800-376-0212 or contact@ehrpmc.com

New Deadline for EHs and CAHs to Attest for MU in 2014

The Centers for Medicare and Medicaid Services announced on November 24th, a one-month extension to the deadline for eligible hospitals and critical access hospitals to attest to meaningful use of certified EHRs for 2014, the new deadline is December 31st.  CMS stated that, “this extension will allow more time for hospitals to submit their meaningful use data and receive an incentive payment for the 2014 program year, as well as avoid the 2016 Medicare payment adjustment. CMS also extended the deadline for eligible hospitals and CAHs that are electronically submitting clinical quality measures to meet that requirement of meaningful use and the Hospital Inpatient Quality Reporting program. The deadline was also extended to December 31st, giving hospitals another month to submit their eCQM data to Quality Net.  Unfortunately the extensions do not impact the Medicaid program.

BYOD- The Good, The Bad and The Ugly

Bring Your Own Device (BYOD) is a new phenomenon happening in corporate America, especially in the Hospital space.  BYOD is a concept where employers allow their staff to use their own mobile devices for work related purposes. In this day and age Healthcare providers rely heavily on the mobile devices for communication. While some organizations are looking to this new phenomenon to increase productivity, others have expressed valid concerns about how and what information will be accessed and the potential threat it poses to violating HIPAA.

As it stands no organizations have taken the final steps to approve a BYOD program, Penn Medicine is the closest to finalizing a plan to address many of the common concerns surrounding BYOD.

This forward thinking approach to bridge the communication gaps in healthcare comes at a tumultuous time considering the recent breaches in security and hefty fines ensued by several larger healthcare networks. Brigham and Women’s Hospital and Beth Israel Deaconess are two of the most recent victims of theft, which in the case of Beth Israel Deaconess was levied with a $100,000 fine for negligence for failing to encrypt a laptop, which contained patient sensitive information.

Allow our experts at EHR & Practice Management Consultants, Inc. (www.ehrpmc.com) help address your concerns by contacting us at 800-376-0212 or contact@ehrpmc.com

Big Data Produces Big Results

Big Data is a buzz word in the Healthcare IT Community and according to recent reports is producing big results. Let’s first understand what Big Data actually means. Big data is an all-encompassing term for any collection of data sets so large and complex that it becomes difficult to process them using traditional data processing applications. What does it mean to a healthcare organization that can simplify complex data and apply it’s results to better understanding it’s patient population, improved patient outcomes. A new report released by Brigham and Woman’s Hospital boasts more than a handful of ways to lower healthcare costs through the use of big data.

“The examples we present in this study provide key insights to the ‘low hanging fruit’ in healthcare big data and have implications for regulatory oversight, offer suggestions for addressing privacy concerns and underscore the need for support of research on analytics,” said David Bates, MD, chief quality officer at Brigham and Women’s Hospital and lead author on the study, in a press statement.

Brigham and Woman’s researchers are using analytics to reduce costs in six key areas:

High-cost patients

The study suggests that identifying high cost patients as early as possible and formulating an proactive approach will greatly reduce costs.

Readmissions

Many studies have revealed insight into the staggering rate of hospital readmissions, this study suggests that as many as one-third of readmissions may be preventable. Bates and his coauthors suggest that all healthcare organizations should use algorithms to predict who is likely to be readmitted. They include: tailoring the intervention to the individual patient, ensuring that patients receive the interventions intended for them, monitoring specific patients after discharge to ensure they do not develop issues that would cause their condition to deteriorate, and ensuring a low ratio false positive rate of patients flagged for an intervention to patients who experience a readmission.

Triage

The study shows that effective triage is key to predicting possible complications. Two pilot studies provide valuable lessons learned in establishing triage algorithms, ensuring the patient is sent to the correct place for care and enables the staff to make more informed decisions.

Decompensation

As patients’ conditions worsen, certain organs may fail to adequately compensate for the systemic stress of a disease. But there is often a period in which physiological data can be used to determine whether the patient is at risk for decompensating. The study shows how the initial rationale for intensive care units was to allow patients who were critically ill to be closely monitored for just this purpose. Researchers emphasize such systems can now be used throughout the hospital, and that effective analytic systems in this area must use multiple data streams to detect decompensation, as many new technologies are becoming available that can be used to better monitor patients.

Adverse events

Adverse events are expensive, and can result in high rates of morbidity and mortality. But they’re preventable at high rates, according to B&W researchers, who spotlight three areas – renal failure, infection and adverse drug events – as specific opportunities where analytics can realize cost savings

Treatment optimization

When it comes to chronic diseases affecting multiple organ systems, correctly managing these systemic problems is essential to keeping costs down. For instance, the study shows how autoimmune disorders such as rheumatoid arthritis and lupus could benefit from big data, enabling caregivers deliver expensive therapies in a more targeted way – helping predict the trajectory of a patient’s disease and tailoring treatments and therapies along the way.

Allow EHR & Practice Management Consultants, Inc. (www.ehrpmc.com) help you analyze your patient data to increase better patient outcomes and reduce costs.  Contact us at 800-376-0212 or email us at contact@ehrpmc.com

 

Failure to Encrypt A Provider’s Laptop Leads to a $100,000 Fine

Identity theft and security breaches have affected such big name companies as Target, Home Depot and most recently JP Morgan. hackers, reportedly stealing financial information from over 76 million households. Financial information is important to safeguard understandably but what about your personal information, such as your medical records and social security number, the most coveted piece of information? A recent healthcare data breach has affected 30 million people and counting, this information however includes patients’ social security numbers, leaving some feeling more exposed than when wearing a hospital gown. Beth Israel Deaconess, in Boston, MA can attest to how this can happen to any Healthcare Organization, especially when the proper training and precautions are not put in place. Beth Israel Deaconess was hit with a heavy fine this month, after information was leaked from an incident occurring in 2012, when a physician’s personal laptop was stolen. The Massachusetts Office of Attorney General levied a $100,000 fine for failure to encrypt the device.

According to the Identity Theft Resource Center, Healthcare data has seemingly become increasingly targeted, accounting for 43 percent in major data breaches reported in 2013. It seems to be on pace for this year and a dark shadow has already been cast over 2015.

Although the Federal Reporting requires breach notifications, that is in my opinion too little too late. Hefty fines are turning the heads of many larger healthcare organizations, reporting that 69 percent of health security professionals in a 2013 survey said their organization has a data breach plan in place. That’s not a number to grant a sense of ease, in fact it’s not the 40 percent of larger healthcare organizations that are unprepared that worries me, it’s the smaller private practices that have no or strategy in place and much like the Beth Israel Deaconess incident are still carrying my private medical information and potentially my social security number on a personal laptop with no encryption to secure the contents of the computer.

The moral of this story…don’t be a victim, take HIPPA security seriously and protect your patients’ sensitive information. Talk to a security expert, get the right training for your staff and put the proper precautions in place.

Contact EHR & Practice Management Consultants, Inc. (www.ehrpmc.com) for Assistance at 1-800-376-0212 or contact@ehrpmc.com for all your security needs including encryption!

Security Tips from EHR & Practice Management Consultants, Inc.

Approximately 40% of healthcare organizations reported a criminal data attack this year.

Ask yourself how can you put a multi-layer defense in place to prevent a Breach?

What are the risks?  Reputational Risks? Data Integrity Risks?

Areas To Address:

  • Encrypt Every Device and how to protect the data center from external and internal attacks
  • Have a Risk Analysis Done Properly since the OCR is asking up to 5 years back now to show that you have made a concious effort to mitigate your risks every year
  • Staff Training and education, penetration tests, cable locks or trackers for unencrypted devices all matter.
As previously mentioned in my blogs, the OCR stated over 60% of breaches occur because of theft or loss of an unencrypted device.  Therefore, it is important to keep track of any device that leaves the office!  Unauthorized disclosure of accounts accounted for 16% of breaches.  Hacking of account accounted for only 7% of actual breaches.
A 2011 Ponemon Institute report estimated full disk encryption to average $232 per user, per year.
Keeping EPHI secure is not only a matter of professional responsibility but a matter of cost, reputation, and integrity to the patient-provider relationship.
If you need help keeping EPHI (Electronic Patient Health Information) secure please contact us to do a HIPAA Privacy/ Security Risk Assessment & Mitigation Plan at 1-800-376-0212 or contact@ehrpmc.com.