Category Archives: health information technology

Docs, You’ve Been Hacked. What’s Next?

Posted on by

HIPAABy: Jacqueline Bain

Healthcare providers have heard the HIPAA disaster stories: a laptop containing patient information is left on the counter at the coffee shop; a thumb drive with patient files goes missing; a rogue employee accesses patient information she has no business accessing; hackers get into a practice’s server and hold the patient information for ransom.

HIPAA is a federal law designed for safe disclosure of patient’s protected health information.  The news headlines showcase giant penalties for violations.  However, Florida health care providers should also know that Florida has its own consumer protection statute, called the Florida Information Protection Act.  So while you’re busy worrying about your HIPAA exposure in any of these situations, remember that there is potential State exposure as well.

So what should a healthcare provider do if it believes there has been a hack or some other unauthorized disclosure?  Responses vary based on the situation presented, but below is a good jumping off point: Continue reading

Physician Communications: Considerations for Using Text Messages and Social Media

Posted on by

doctors textingBy: Jackie Bain

It is becoming easier and easier for physicians to communicate with each other and their patients.  And although open communication is generally thought of as positive, the medical profession should proceed with caution.  Patients and consulting physicians rely heavily on their communications with their treating physicians.  Thus, communications which do not require the thought of focus that a physician would otherwise give to a situation may result in disaster. While there are many potential ways a physician might use text messaging and social media both professionally and personally, we will focus generally on physician interactions with other physicians, and physician interactions with patients.

To start, physicians should be aware that, in 2011, the American Medical Association issued guidelines in its Code of Ethics for physicians who use social media: Continue reading

Fall 2014 HIPAA Audits: Is Your Business Ready?

Posted on by

hipaa-audits-imageFile-3-a-7296By: Jackie Bain

Section 13411 of the HITECH Act authorizes and requires the Department of Health & Human Services Office for Civil Rights (“OCR”) to provide for periodic audits to ensure that covered entities and business associates comply with the HIPAA Privacy and Security Rules. OCR conducted its first round of those audits in 2011 and 2012, and has announced that it will begin a second phase.  Unlike the first phase of audits, which were limited to covered entities, both covered entities and business associates are intended to be audited during this second phase.

How will audited businesses be selected?

This fall, OCR will deliver pre-audit surveys to between 550 and 800 covered entities.  OCR is attempting to obtain a fair snapshot of all covered entities, so these pre-audit surveys will be sent to health care providers, health plans, and health clearinghouses. Moreover, the audits will span the gamut of business sizes, from large corporations to solo practitioners. After pre-audit surveys are returned, OCR will randomly select 350 of those covered entities for a full audit.  As a part of these full audits, covered entities will be asked to identify their business associates.  OCR will then select 50 business associates to participate. Continue reading

Federation’s Model Telemedicine Policy is Well Timed

Posted on by

??????????

Many health policy experts are betting on the expanded role of telemedicine as an essential cost-saving, quality (and access) enhancing tool.  Yet legal and policy issues have dogged the development of useful telemedicine guidelines, making it difficult to know what’s ok and what’s not.  What sort of licensure is required for physicians practicing telemedicine?  When is the physician “practicing medicine” vs. “merely consulting?”  When is a physician patient relationship established?  Is one even necessary?  The newly developed model policy developed by the Federation of State Medical Boards should help guide states in developing specific telemedicine standards.

Continue reading

$800,000 HIPAA Settlement for Leaving Patient Records on Physician’s Front Porch

Posted on by

HIPAAThe Department of Health and Human Services announced this morning that it has entered into a settlement agreement with Parkview Health System, Inc., an Indiana medical group caught up in HIPAA violation case.  Parkview was assisting a retiring physician to transition her patients to new providers.  Parkview was also considering purchasing some of the physician’s patient records.  When Parkview attempted to return between 5,000 and 8,000 patient records to the physician, she was not home to accept their return.  Parkview employees left cardboard boxes containing between 5,000 and 8,000 patient medical records outside of the physician’s home, and within twenty feet of a public road.  In settlement and release of HHS’ claims against Parkview for such a HIPAA violation, Parkview agreed to pay the Department of Health and Human Services $800,000 and enter into a Corrective Action Plan.  The entire Resolution Agreement between Parkview and HHS is available here.

Phoning It In – Florida’s Brand New Telemedicine Law

Posted on by

??????????By: Jackie Bain

Until recently, the State of Florida has successfully avoided regulating telemedicine to account for advancements in technology. In 2003, the State issued standards for telemedicine prescribing practice for medical doctors and doctors of osteopathy, but has not formally revisited its position in light of increasingly common telemedicine practice in several states – until now.

Florida’s forestalling has officially come to an end.  The State recently enacted new physician standards for telemedicine practice, and the State legislature is presently considering further regulation.  These new standards do not impinge upon the prior standards for telemedicine prescribing practice, but are issued in conjunction to it.  Continue reading

Florida Clinical Labs Must Now Give Patients Direct Access to Their Laboratory Test Results

Posted on by

lab testingBy: David Hirshfeld 

In an effort to help individuals access their health information so that they can become more actively involved in managing their own health care, several agencies within the Department of Health and Human Services promulgated a rule that modifies the Clinical Laboratory Improvement Amendments (“CLIA”) and the Health Insurance Portability and Accountability Act (“HIPAA”) in a way that supersedes Florida State laws governing the disclosure of laboratory test results directly to patients.

Continue reading

HIPAA Omnibus Final Rules and Penalties

Posted on by

On Friday January 25, 2013, the Department of Health and Human Services published the Final Rule modifying the HIPAA privacy, security, enforcement, and breach notification rules under the Health Information Technology for Economic and Clinical Health Act (“HITECH”) and the Genetic Information Non-Discrimination Act (“GINA”) as well as other modifications to the HIPAA rules. (See 45 CFR Parts 160 and 164, Federal Register Volume 78 Number 17.)

The omnibus rule actually contains four final rules. The first final modifications to HIPAA which were mandated by “HITECH” include modifications intended to improve the Rules which were issued as a proposed rule on July 14, 2010 include six modifications.

The first omnibus final rule includes direct liability modifications for business associates of covered entities for compliance with certain HIPAA privacy and security rule requirements. Strengthening of limitations on the use and disclosure of protected health information, expanded individuals’ rights to receive electronic copies of their health information, modification and redistribution of entities privacy practices protocols, modification of individual authorization forms and other requirements to facilitate research and disclosure of child immunization proof to schools as well as to enable access to decedent information and lastly the enforcement rules have been modified to address violations such as non-compliance with HIPAA rules due to willful neglect.

The second omnibus final rule adopts changes to the HIPAA enforcement rule that increase the civil monetary penalties in a tiered manner.

The third omnibus final rule involves the breach notification for unsecured protected health information under the “HITECH” act. This rule replaces the prior rules “harm” threshold with a more objective standard.

Finally, the fourth rule prohibits most health plans from using or disclosing genetic information for underwriting purposes.

These final rules take effect this month on March 26, 2013. Covered business entities and business associates must comply with the applicable requirements by September 23, 2013. The penalties for violating the final rules are now as follows:

TABLE 2 – CATEGORIES OF VIOLATIONS AND RESPECTIVE PENTALTY AMOUNTS AVAILABLE

Violation Category – Section 1176 (a)(1)

Each Violation

All such violations of an identical provision in a calendar year
(A)  Did Not Know(B)   Reasonable Cause

(C)   (i)Willful Neglect-Corrected

(C) (ii) Willful Neglect-Not Corrected

 $100-$50,0001,000-50,000

10,000-50,000

50,000

 $1,500,0001,500,000

1,500,000

1,500,000

Providers need to be aware of the penalties for violating the rules as we most recently reported to you the office of civil rights will not hesitate in sanctioning providers for violating the Act in amounts in excess of $1.5 million.

Portal not “Port-All”

Posted on by

doorBy: David Hirshfeld

Whether as a means of satisfying the Stage 2 “meaningful use” requirements of the HITECH Act, or in an effort simply to enhance the efficiency of their practices, many of our clients have been implementing electronic medical records software that includes patient portals.  A “patient portal” is an electronic doorway between patient and practice.  Portals often allow patients to check and download their own treatment records, and to use digital messages as a means of communicating with clinicians.  Portals can be awesome tools with which to enhance your practice, but they need to be implemented thoughtfully.

A portal is often an excellent way in which to add operational efficiencies that reduce costs, increase patient satisfaction, and increase positive outcomes; BUT, if not carefully monitored, they can become inadvertent points of entry for information, the meaning of which can only be appreciated when delivered in a face-to-face office visit, where other aspects of the patient’s condition would be evident (e.g. pallor, swelling, confusion).

Portals should be limited to more benign encounters, such as: patient registration, financial clearance, medical history, appointment scheduling / confirmation, specialty referrals, notification of test results, online bill payment, non-narcotic prescription renewals, follow-up of specific conditions for which there has been a course of in-person treatment that included an agreement as to the use of the portal for follow-up.

I recommend that practitioners train their patients how and to what extent they should use the portal by presenting patients with a “Terms of Use” agreement (that they must sign); and by reminding patients of the Terms of Use if and when they use the portal for an encounter that should have been handled by an in-office visit.

A good “Terms of Use” agreement ought to convey the following information to patients before they use the portal:

  • Identify the proper subject matter to be communicated through the portal and, just as important, the types of communications that should NOT be made through the portal.
  • In addition to communication, what other functions the portal will make available to the patient (e.g. what records can patients view, can they download, can they transmit to other providers, refill prescriptions, help practice to monitor an ongoing condition, etc.).
  • The portal is highly secure, more secure than conventional email, and should be the only way that patients should convey information to the practice other than in-person or, perhaps, on the telephone.
  • Everything conveyed to the practice through the portal will become part of the patient’s medical record.
  • Not only the physician, but other clinicians and practice staff may read communications made through the portal.
  • How quickly, and in what format, will the practice respond to patient communications made through the portal.
  • Whether and on what terms the practice will allow access to records of its minor patients.
  • How modifications to the “Terms of Use” and portal functionality will be conveyed to patients.
  • A primer, as simple as possible, on how to effectively use your practice’s portal.

Portals can be awesome tools with which to enhance your practice; but they need to be implemented thoughtfully, and in conjunction with patient training.

 

ACO Challenges Are Formidable

Posted on by

Final-ACO-RulesHanging this nation’s cost cutting/quality enhancing hopes on Accountable Care Organizations (ACOs) is bound to be frustrating and disappointing.  The ACO model seriously lacks sufficient real world grounding and is no magic pill.  Things like resources, operational capability and alignment (of financial incentives and direction) seem to have been overlooked or undervalued.

The ACO model is based on one fundamental assumption:  an expanded role of primary care physicians can slow cost increases and ensure better coordination of care.  That assumption is flawed for two reasons:  first, there is a large and growing primary care shortage; and second, the financial incentives in healthcare have driven a system based on acute, episodic interactions, leading to enormously fragmented clinical training and care.

We not only have inadequate resources to drive change away from acute, fee for services based care, but rather we lack resources that drive wellness. As one physician with a large hospital system recently said:  “We physicians are not trained to provide healthcare.  We’re trained to intervene when things go bad.”  Asking healthcare professionals and facilities to drive a model based on outcomes and resource consumption is theoretically possible, but a remarkable leap of faith (and training) is required, given they have made their livings off of sick people for so long.  That’s not to say that changing financial incentives from acuity to wellness and outcomes won’t work.  It’s just going to require training and proof that the players can make money with the new mandates.

As far as operations go, those with the greatest access to management, capital, IT and such are also the most expensive—hospitals.  It makes sense that the core objective of healthcare reform is to “squeeze the toothpaste tube” backwards from hospital to specialist to primary care physicians, but it’s a great leap of faith to expect that hospitals will or even can control costs.  In a healthcare system where providers admittedly are rewarded for doing more with more expensive things, the sharp turn required by the new law will require more than just a new law.  With all the current hospital-driven physician acquisitions, the increasing role of hospitals on the ACO issue looks at times more like turf guarding than any real cost-saving, quality enhancing move.

At the end of the day, all players have to answer the question “Did they reduce cost and enhance quality?”  It seems convincing that moving away from the fee for service model will change behavior.  We just need to make sure (1) there are sufficient resources to implement the change, and (2) financial and clinical issues are well balanced.  Time will tell, but meanwhile the current irony is that the most expensive link in the chain is best situated to actually operationalize the ACO concept.

Alignment is critical.  Financial alignment will require the players to believe they can all thrive in the new ACO model, yet physicians are historically leery of any hospital driven system.  In fact, given that hospitals are driving the ACO bus at the moment, the biggest fear among physicians is that they will be left out.  Even among physician-driven ACOs, the tension between primary care physicians and specialists is intense.  How much of any savings will go to primaries vs. specialists is no less divisive than the issue of the hospital/physician split of the shared savings.

Even more critical is the apparent lack of consideration given to the need for patient participation.  Where is the financial incentive for healthy patient choices and the disincentive for unhealthy patient choices?  Moreover, in a culture where more is more, why would anyone want to receive care from an organization that gets more by giving less?  Given further the ability of patients to wander in and out of ACOs and yet charge their ACO with the costs of non-ACO providers (who arguably have no stake at all in reducing expenses), the forecast for patient alignment is gloomy, but their buy in is critical.  It is difficult to see where patients have any stake in this change and would even be inclined to choose to be served by an ACO.  Many noted theorists have drilled on the glaring lack of patient alignment.  Rama Juturu and recent Wall Street Journal editorialists/economist Clayton Christensen have been outspoken about the need to enlist patients in the drive from intervention to prevention.  Patients that flock to ACOs (or whatever) will only do so if they see what’s in it for them.  The only thing an ACO can sell is results, outcomes.  And that’s gonna take time to measure and to sell.

At the end of the day, the threat of ACOs (and any vehicle to control healthcare costs more effectively) isn’t that they won’t work.  It’s that cost concerns will outstrip clinical ones.  While it can be argued that the employment of physicians by traditionally adverse players (like hospitals) will likely reduce the tension between them, it is precisely that tension that has always held the threat of “money over quality” at bay.  What will happen as hospitals and other healthcare players employ more and more physicians?  One can only hope that it is not silence and that, as found in some well established systems in the Midwest and West, respect for the different and necessary roles of ensuring both quality and economic survival will balance out, regardless of the healthcare delivery model that emerges.