Friday, February 12, 2016

ONC Blog Series Part 1: HIPAA and Interoperability

In February 2016, The Office of the National Coordinator for Health Information Technology (ONC) launched a new four-part blog series to explain the permitted uses of health information under HIPAA. The series emphasizes that HIPAA not only protects personal health information from misuse, it also enables personal health information to be accessed, used or disclosed interoperably, when and where it is needed for patient care.

We begin our coverage of the four-part series with Part 1: The Real HIPAA Supports Interoperability. This introductory post establishes HIPAA as serving the dual functions of protecting personal health information from misuse and also enabling personal health information to be used between Covered Entities (CE) under specific conditions.

ONC released two new fact sheets which give numerous examples of when electronic health information can be exchanged without first requiring an authorization or a writing of some type from the patient, so long as other protections or conditions are met. HIPAA provides many pathways for permissibly exchanging Protected Health Information (PHI).

The new fact sheets remind stakeholders through practical, real-life scenarios, that HIPAA supports interoperability because it gives providers permission to share PHI for patient care, quality improvement, population health, and other activities.

Next week, the blog series will continue to delve further into Permitted Uses and Disclosures. As per ONC, Blog #2 will be background on HIPAA’s Permitted Uses and Disclosures: what they are, and how they advance the national goal of interoperability. Blog #3 will give examples of exchange of health information for Care Coordination, Care Planning, and Case Management, both between providers, and between provider and payers. Finally, Blog #4 will give examples of interoperable, permissible exchange of PHI for Quality Assurance and Population-Based Activities, including via a health information exchange.

Six Critical Imperatives for Progress in Healthcare

In 2015, healthcare spending eclipsed $3.2 trillion, which is 18% of the nation’s gross domestic product. CMS projects healthcare spending to reach $4.3 trillion by 2020 (18.5 percent of GDP) and $5.4 trillion by 2024 (19.6 percent of GDP). Healthcare costs are rising exponentially, putting the pinch on patients and providers alike. Every dollar spent on healthcare is a dollar that cannot be spent on a critical competing need both at the micro and macro levels of the economy. Knowing this, we must ask: is the best possible care being provided to patients? Is the care effective in reaching its goal?

Fred Bazzoli of Health Data Management, in his article “HIT Think: A Moon Shot for Healthcare: 6 Critical Imperatives,” proposes essential components that would give healthcare a chance to reach the ultimate goals that it needs to achieve. 

Six Critical Imperatives:
  1. Achieve interoperability: Patient information must be easily, seamlessly and automatically exchanged between any and all information systems. A patient's data ought to be accessible in full by clinicians and presented in a way that is comprehensive and easily understandable. 
  2. Develop usable, intuitive, and all-inclusive electronic health records systems: Caregivers should be able to use different EHR systems without having to labor at using them. In addition, records systems need to support all of a patient’s information, structured and unstructured, and also should support analytics efforts by clinicians and researchers.
  3. Solve caregivers' technology frustrations: Technology needs to make the lives of caregivers easier, not increase burdens. Technology needs to solve caregivers' problems, facilitate care, increase efficiency and make caregivers’ lives better, resolving enough of their pain points to encourage them to stick with their roles as the industry reinvents itself and not leave the profession.
  4. Maximize industry coordination and cooperation: Every caregiver must have all available information on a patient, and everyone can work together to wring out as much unnecessary cost as possible from the system. Data sharing between IT systems will play a crucial role in achieving this.
  5. Reduce administrative expenses to the bare minimum: Estimates of administrative expenses in healthcare traditionally have ranged from 20 to 25 percent of all industry expenditures. At the low end, that would mean $600 billion is spent on healthcare that’s not directly related to care delivery. Much of that money needs to be reallocated to areas such as clinical and operational research.
  6. Focus resources on deeply involving consumers in their health: Patients need to understand the importance of paying attention to self-care, whether that means taking on healthy habits, avoiding habits that are destructive and following care regimens. A restructured healthcare system needs to demonstrate it cares about patient health as much, if not more, than treating sick patients.
As the industry enters a period of uncertainty about the direction of health policy, it must get serious about improving care and cutting costs. IT can help, but the will must be there to use it.

Has the incorporation of technology in your organization's daily procedure helped or hindered effectiveness and efficiency? Do you have any suggestions for how to better integrate technology in practice? Let us know your thoughts and concerns in the comments below.

Tuesday, February 9, 2016

Hospital Company Sued Under FCC's Tighter TCPA Rules

In September 2015, we reported on the Declaratory Ruling and Order issued by the Federal Communications Commission (FCC) on July 10, 2015. In short, this ruling clarified several exemptions under the Telephone Consumer Protection Act (TCPA) regulations common to healthcare organizations. These issues were raised in a petition filed by the American Association of Healthcare Administrative Management (AAHAM) regarding the exemption from prior express consent of “healthcare-related messages.” [For a thorough breakdown of the ruling and its component parts, please see our post “Deconstructing the FCC’s Declaratory Ruling on TCPA Regulations.”]

Now, Prospect Medical Group’s Southern California Hospital at Culver City is one of the first providers to be targeted with a class-action lawsuit since the FCC’s July interpretive ruling. The lawsuit alleges that the hospital used an automated dialer to call patient Donna Ratliff on her cellphone in order to collect a debt and did not have her express consent to do so.

In its ruling, the FCC made it clear that debt collectors need express consent before dialing a cellphone and gave little leeway for when they reach a number that's been reassigned.

As of January 28, 2016, Prospect Medical Group claimed it was not formally served with a complaint. Yet, the company insisted it follows the necessary practices to obtain consent to call patients on their cellphones in that “all [of our] patients are asked to sign an irrevocable authorization permitting our hospitals to contact them via telephone—including, specifically, via cellphone—in their efforts to collect outstanding debt."

Attorney Bradley Andreozzi of Drinker Biddle suggests the best policy for any hospital is “to have written consent during the admissions process that is broadly worded to include all types of automated calls and texts.”

TCPA violations are already an active area for plaintiffs, with TCPA-related lawsuits increasing 560% between 2010 and 2014, according to ACA International, the Association of Credit and Collection Professionals. Penalties for TCPA infractions start at $500 per call and can reach as much as $1,500 for willful violations.

Still, the most controversial part of the FCC ruling – when a debt collector reaches someone in error – is left unexamined. The FCC allows medical debt collectors to call a number just once without penalty, regardless of whether someone picks up. ACA International has sued the FCC challenging the July order.

In sum, attorney Lewis Wiener of Sutherland, Asbill, & Brennan asserts that the best way for providers to protect themselves is to have a rigorous process for getting consent, use broad language, respect the wishes of those individuals who “opt out,” and whenever possible, use email to create a paper trail.

Has your organization developed a new protocol for obtaining patient consent in light of the FCC ruling? Do you feel sufficiently protected from exposure to litigation? Let us know your concerns in the comments below.

The original article by Beth Kutscher can be found at the following address:

Monday, December 14, 2015

Small privacy violations can have huge impact on individuals but don’t get the appropriate attention and followup under current HIPAA enforcement

To contrast the large data breaches in healthcare that get high public visibility but may have lesser known impacts on the individuals whose data is stolen with the little known breaches that can have a huge impact on a single individual, National Public Radio reported Small Violations of Medical Privacy Can Hurt Patients and Corrode Trust.

Noted by the report –

Under the federal law called the Health Insurance Portability and Accountability Act, or HIPAA, it's illegal for health care providers to share patients' treatment information without their permission. The Office for Civil Rights, the arm of the Department of Health and Human Services responsible for enforcing the law, receives more than 30,000 reports about privacy violations each year.

The bulk of the government's enforcement — and the public's attention — has focused on a small number of splashy cases in which hackers or thieves have accessed the health data of large groups of people. But the damage done in these mass breaches has been mostly hypothetical, with much information exposed, but little exploited.

The report also notes that –

Even when small privacy violations have real consequences, the federal Office for Civil Rights rarely punishes health care providers for them. Instead, the office typically settles for pledges to fix any problems and issues reminders of what the privacy law requires. It doesn't even tell the public which health providers have reported small breaches — or how many.

The Office of Civil Rights took some criticism in this NPR report:

The vast majority of the federal Office for Civil Rights' enforcement work has been directed at large-scale medical data breaches, whether or not they result in any demonstrable real-world harm.

Health providers are required to notify the office within 60 days of breaches affecting at least 500 people and also must share details with the media and contact those potentially affected. OCR's website makes public a list of these cases, highlighting them on what industry insiders dub the Wall of Shame.

Rarely do small privacy breaches get anywhere near the same attention, except when they involve celebrities or high-profile individuals.

Organizations only have to report them to OCR once a year. Even then, the agency doesn't post them online. HHS has rejected requests under the Freedom of Information Act for information about them.

Since 2009, OCR has received information about 1,400 large breaches. During the same time, more than 181,000 breaches affecting fewer than 500 individuals have been reported.

In September, the HHS inspector general issued 2 reports that criticized the Office for Civil Rights, including its handling of small breaches. One report said the OCR should strengthen its followup of breaches of Patient Health Information when reported by HIPAA covered entities.  Another report said the OCR should strengthen its oversight of covered entities’ compliance with the HIPAA Privacy Standards. The inspector general said OCR did not investigate the small breaches reported to it or log them in its tracking system.

Thursday, December 10, 2015

HealthData Management Reviews the Ten Largest Healthcare Cyber Attacks in 2015

HealthData Management recently reviewed the 10 largest cyber attacks of 2015 in the healthcare setting.  The report notes that some of the attacks started in 2014 (focusing on the time period of when the attacks were reported).  The total number of victims from these hacks was placed at 109,671,626, which represents about one-third of the population of the U.S. Each hacked organization has offered paid credit and/or identity theft protection services.

The single largest attack was against Anthem Health Insurance, affecting 78.8 million individuals.  The hack affected all Anthem product lines, compromising names, birthdates, member IDs, SSNs, addresses, phone numbers, email addresses and employment.
An attack against Premera Blue Cross, started in 2014, affected 11 million individuals.  As with Anthem, a wide range of member information was compromised, including personal bank account numbers. Ten million individuals were affected by an attack started in 2013 against Excellus BlueCross BlueShield, which included members from other BCBS plans in a 31 county area in update New York.  The company said “Individuals who do business with us and provided us with their financial account information or Social Security number also are affected.”

UCLA Health detected suspicious network activity in late 2014 and investigated with assistance from the FBI, concluding that the attackers had not gained access to parts of the network that contain personal and medical information.  In mid 2015, as part of an ongoing investigation, UCLA determined that attacks had accessed parts of its network, affecting 4.5 million individuals.
Medical Informatics Engineering, which sells electronic health records with its NoMoreClipboard subsidiary, found an attack that involved 3.9 million individuals.  The hack retrieved patient names, user names, hashed passwords, security questions and answers, email addresses, dates of birth, health information and Social Security numbers all compromised.

An attack against a single database at CareFirst BlueCross Blue Shield affected 1.1 million individuals.  The attack was discovered during security work being done in response to attacks against other insurers.  Limited personal information was said to have been involved in the attack, with no member Social Security numbers, medical claims information or financial information put at risk.
In mid 2015 Beacon Health System discovered a phishing attack that accessed multiple employee e-mail boxes, starting in late 2013.  The breach was found by an internal forensic team after an employee noticed email irregularities, and affected the two-hospital system and affiliated physicians.  St. Mary’s Health in Indiana discovered a breach affecting 4,400 individuals after investigating a hack attack against employee email accounts. 

Advantage Dental, with 30 clinics across Oregon, discovered an attack on an internal database that affected over 150,000 individuals.  The access was terminated only 3 days after it was discovered and notifications were sent to affected individuals within 30 days.  The intruder accessed the database through a computer infected with malware.  

Monday, December 7, 2015

Check out The Joint Commission's Physical Environment Portal

The Joint Commission announced a Physical Environment Portal, in partnership with the American Society for Healthcare Engineering (ASHE), which focuses on 25 Life and Safety and Environment of Care elements from 8 standards identified as the most cited for violations over the last four years. 

This simple infographic identifies the standards being featured: Utility Systems, Means of Egress, Built Environment, Fire Protection, General Requirements, LS Protection, Automated Suppression System, and Haz Mat/Waste Management.  Each standard is being highlighted in 2-month modules: The first month features information for facilities managers; the second month focuses on strategies for leadership and clinical impact.  The current modules may be found on the Portal’s Announcement Page.

For example, violations associated with LS.02.01.20 – The Hospital Maintains the Integrity of the Means of Egress, the Portal offers examples of improved compliance – both for facilities managers and leadership.  For example, two Elements of Performance are identified as problem areas: Corridor Clutter was found to have a non-compliant rate of 22.41% and Doors unlocked in the direction of egress was found to have a non-compliant rate of 16.84%.  A flow chart provides examples of improved compliance: looking at issue identification, risks associated with non-compliance, the potential impact of the risk and mitigation strategies.  Notice that for each of these EPs there is a cross walk to the CMS Conditions of Participation. 

Navigate to the ASHE website’s Focus on Compliance for additional resources on each standard.  For example, for violations of LS.02.01.20 – The Hospital Maintains the Integrity of the Means of Egress, three specific areas are identified: Obstructions of the Means of Egress, Inappropriate Locking Mechanisms, and Improper Use or Designation of Suites.   Also, remember to visit and explore the resources in the Joint Commission Survey Toolkit. 

Finding a standardized combination of patient attributes and standardizing the collection/input of these attributes in provider electronic systems

Over a year ago NAHAM offered recommendations recorded in the Office of the National Coordinator for HIT’s 2014 Patient Identification and Matching Final Report.  Pointing to a standardization of data attributes and their capture in electronic systems –

NAHAM supports continuing efforts to create an environment of positive patient identity and believes that the standardization of patient identification protocols and technologies are important means to this goal.  NAHAM is investigating appropriate third factors to enhance positive patient identification.  NAHAM supports the development of standards for data attributes in electronic systems, whether clinical or administrative, and enhanced common capabilities for all health data systems to input standardized data….

This reference to “appropriate third factors” is a call on providers to go beyond The Joint Commission’s National Patient Safety Goal requirement that at least two patient identifiers be used.  While it can be acknowledged that this requirement speaks primarily to the clinical setting, it is a benchmark for Patient Access as well.  NAHAM’s recommendation call for an additional set of patient identifiers, ideally standardized both in combination and means of collection so that all healthcare systems are tracking the same data in the same manner, using the same recording protocols.  NAHAM’s recommendations to the ONC also included a call for standardized EHR technology solutions that would support the standardized patient identification attributes –

Ongoing education and training are also important to ensure personnel at all levels understand the important roles patient data input and patient identification protocols serve in enhancing patient safety.  NAHAM supports Stage 3 Meaningful Use requirements to improve patient matching and supports a comprehensive approach that includes the standardization of patient identification attributes, the development of standards for EHR technology solutions, and the development of best practices and protocols for data input. This would include regular feedback from supervisors and audits for quality control.

The same ONC report, based on the input of a number of stakeholders, including NAHAM, recommended the following data attributes: First Name, Last Name, Previous Last Name, Middle Name or Middle Initial, Suffix, Date of Birth, Current Address, Historical Addresses, Current Phone Number, Historical Phone Numbers, Gender. Whether these are the ideal data attributes is arguably subject to debate; however, we do have a general idea of what attributes are most commonly captured.

The results of an informal NAHAM survey presented at the Patient Identity Integrity Symposium held prior to the 41st Annual Educational Conference and Exposition showed that over 80% of respondents indicated that their systems collected the following patient information: Name (First and Last), Home Phone Number, Work Phone Number, Date of Birth, Gender, Next of Kin, Next of Kin Relationship, Guarantor Phone Number, Primary Physician, Insurance Information, Medical Record Number, Billing Address. 

Next of Kin, Next of Kin Relationship, Medical Record Number, and Billing Address fall out when looking at what 90% of respondents collect.  When looking at the common identifiers for all respondents, patient Work Phone Number and Primary Physician fall out.  The survey showed that 100% of respondents collect patient Name, Home Phone Number, Date of Birth, Gender, Guarantor Phone Number, and Insurance Information. 

We also have some metrics on the key patient identifiers or traits: Validity (is the trait known to be correct?), Distinctness (is the trait able to uniquely identify an individual?), and Stability (how much does the trait remain constant over the lifetime of the individual?).  The recent Sequoia Project's Framework for Cross-Organizational Patient Identity Management (Draft for Public Review and Comment: November 10, 2015) rated these characteristics along with Completeness (at what rate is the trait captured and available?) and Comparability (noting that numbers such as SSNs are easier to compare that free text such as addresses).  Last Name, First Name, Gender and Date of Birth scored well enough to be considered desirable traits, and Postal Code and Primary Phone Number were identified as promising, although Postal Code in particular scored low for Stability.  Ethnicity and Race scored high and very high for Comparability and Stability but comparably lower for Completeness, Validity and Distinctness. 

When looking at combinations of these traits, the following had the highest levels of Completeness: FN+LN+DoB, FN+LN+DoB+Gender, and FN+LN+DoB+Gender+Zip Code (first 5 digit).  This last combination scored highest for Uniqueness, second only to FN+LN+DoB+Gender+SSN (last 4 digits) – although this combination scored among the lowest for Completeness.  The Social Security Number scored low for Completeness and Validity, while scoring high for Distinctness, Comparability and Stability.

So, what combination of attributes could become the basis of a national standard?  Do phone numbers, historical addresses, or next of kin and relationship aid in maximizing Patient Identity Integrity?  What about the last four digits of the Social Security Number?  What combination of attributes does your organization collect?
We'll leave for another discussion the important milestone of standardizing the collection of these attributes -- meaning the protocols and conventions used in collecting and recording First Name, Last Name, whether to record Middle Name or Middle Initial, and how to agree on conventions such as hyphens (do we eliminate these all together?), titles, and generational titles - Junior, Senior, etc.

Let us know what you collect, your thoughts on standardization of how we collect this data, and what combination of attributes could serve as a national standard.