Tuesday, February 23, 2016

ONC Blog Series Part 3: Care Coordination, Care Planning, and Case Management Examples Under HIPAA

In the third installment of ONC’s four-part blog series on HIPAA, care coordination, care planning, and case management are in focus. Blog post Part 3: “The Real HIPAA: Care Coordination, Care Planning, and Case Management Examples” gives additional practical examples of exchange for Treatment and exchange for Health Care Operations. The following examples are taken directly from the ONC’s post.

Example 1: Care Coordination – 45 CFR 164.506(c)(2)

A hospital is preparing to discharge a patient who will need ongoing, facility-based care. The inpatient facility needs to identify a rehabilitation facility to accept the patient. Prospective facilities will need Protected Health Information (PHI) about the patient to determine whether they can provide the right care.

The current hospital may disclose the relevant PHI to prospective facilities without first obtaining the patient’s written authorization. The disclosing hospital may use Certified EHR Technology, so long as the disclosure is done in a manner that meets the HIPAA Security Rule.

This disclosure is a treatment disclosure (in anticipation of future treatment of the patient by the rehabilitation facility) and thus, may be carried out under 45 CFR 164.506(c)(2).

But, you might wonder, because the PHI came from the inpatient facility, will the inpatient facility be held responsible under HIPAA for what the rehabilitation facilities do with the PHI once they have received it in a permissible way under HIPAA?

Under HIPAA, the inpatient facility is responsible only for complying with HIPAA in disclosing the PHI to the rehabilitation facility in a permitted and secure manner. This includes sending the PHI securely and taking reasonable steps to send it to the right address. After the rehabilitation facility has received the PHI in accordance with HIPAA, the rehabilitation facility, as a covered entity itself, is responsible for safeguarding the PHI and otherwise complying with HIPAA, including with respect to any breaches that occur. The responsibility of the sending provider was to send it securely to the right address; the sending provider is not responsible for its security once received by another covered entity or the recipient covered entity’s business associate (BA).


Example 2: Care Planning By a Provider – 45 CFR 164.506(c)(1) and (c)(2)

A provider wants to ensure that her patients have a comprehensive care plan after they are discharged from the hospital. The provider hires a care planning company (i.e., its BA) to develop these plans for her patients.

To develop the plan, the care planning company requests pertinent PHI about each patient from the patients’ other providers, such as the hospitals to which the patients have been admitted for the same or similar medical care and the patients’ health plans. Each of these covered entities may disclose the relevant PHI for care planning purposes using Certified EHR Technology. Disclosure of electronic PHI by such technology or other electronic method requires HIPAA Security Rule compliance.

In this scenario, a business associate agreement (BAA) is only required between the covered entity that hires the care planning company and that company. The covered entities who permissibly disclose PHI in this scenario may do so directly to the provider’s care planning company for the provider’s care planning purposes (without the need to execute their own BAA) just as they could share this information directly with the provider. Electronic PHI disclosed in this scenario, for example using Certified EHR Technology, must be disclosed consistent with the HIPAA Security Rule.


Example 3: Case Management by a Payer – 45 CFR 164.506(c)(1) and (c)(4)

A health plan hires a health care management company to provide semi-monthly nutritional advice and coaching to their diabetic and pre-diabetic members. The care management company is a BA of the health plan. In order to provide appropriate nutritional advice and coaching, the health care management company needs additional information about these individuals to ensure the advice is consistent with the treatment they receive from their providers.

The health care management company may query the relevant providers to obtain information that could impact the nutritional advice. Providers may respond to the query using Certified EHR Technology and may disclose PHI necessary for the case management purpose for which the nutritional coach was hired by the health plan. Disclosure of electronic PHI by Certified EHR Technology or other method requires HIPAA Security Rule compliance.

In this scenario, the disclosures by the providers to the nutritional coach are for the Health Care Operations (“population-based activities relating to improving health or reducing costs” and “case management”) of the health plan, and therefore are Permissible Disclosures under HIPAA. Likewise, a BAA is only required between the health plan covered entity and the health care management company it hired. The providers may make permissible disclosures of PHI to that company without a BAA between the discloser and that company.


Once again, the providers sharing PHI with the health care management company hired by the health plan are not responsible under HIPAA for what that company or the health plan subsequently does with the information once it has been sent for a permissible reason and in a secure manner.

Monday, February 22, 2016

Trends in Consumer Concerns Regarding Privacy and Security of Health Records

The ONC’s newest data brief examines trends in individuals’ perceptions regarding privacy and security of medical records and exchange of health information. Using data from a nationwide survey administered from 2012-2014, the ONC now summarizes the trends in consumers’ attitudes toward privacy and security concerns and preferences regarding electronic health records (EHR) and health information exchange (HIE).

The data reveal 6 major trends:

1.       Individuals' concerns about the privacy and security of both paper and electronic medical records declined significantly between 2013 and 2014 from 75% very or somewhat concerned to 58% very or somewhat concerned. This is a statistically significant difference (p < .05).
2.      In 2014, a similar number of individuals - about one in five - expressed lack of concern about both the privacy and the security of their medical records. The proportion of individuals who were "very concerned" about the privacy of their medical records decreased by about fifteen percentage points between 2013 and 2014. This is a statistically significant difference (p < 0.05).
3.      Individuals' concerns regarding the privacy and security of their medical record do not significantly differ by whether they have an electronic versus paper medical record. There were no statistically significant differences between paper versus electronic health records.
4.      Between 2012 and 2014, at least three-quarters of individuals supported their health care providers' use of EHRs despite any potential privacy or security concerns.
5.      Individuals' concerns regarding unauthorized viewing of medical records when sent by fax or electronic means declined significantly between 2013 and 2014. Between 2013 and 2014, concerns regarding having medical records sent by fax declined by 20% and concerns regarding medical records sent by electronic means declined by 16%. This is a statistically significant difference (p < 0.05).
6.      Between 2012 and 2014, at least 7 in 10 individuals have supported electronically exchanging their health records despite potential privacy or security concerns. There are no significant differences between years (p < 0.05).

In summary, as EHR adoption and HIE increased among hospitals and physicians, consumers' concerns regarding HIE and the privacy and security of medical records declined. However, it is important to note that these perceptions reflect individuals' points of view prior to announcement in 2015 of several large health care information breaches. Additionally, it is unclear as to whether the significant decreases in concerns between 2013 and 2014 are an anomaly or whether this represents the beginning of a trend towards decreasing privacy and security concerns.

What do you make of the results? Has your organization faced any consumer concerns over using one medical record-keeping format over another? Let us know in the comments below.






Tuesday, February 16, 2016

ONC Blog Series Part 2: Permitted Uses and Disclosures in HIPAA

In our continuing coverage of the ONC’s four-part blog series, we focus today on Part 2: “The Real HIPAA: Permitted Uses and Disclosures.” This blog post summarizes the new ONC fact sheets on HIPAA Permitted Uses and Disclosures for exchange, developed in conjunction with the Office for Civil Rights.

The HIPAA Privacy Rule defines when, under federal law, a covered entity may use or disclose an individual’s Protected Health Information (PHI). In general, a covered entity may only use or disclose PHI if either: (1) the HIPAA Privacy Rule specifically permits or requires it; or (2) the individual who is the subject of the information gives authorization in writing.

The HIPAA Privacy Rule specifically permits a use or disclosure of PHI for the covered entity that collected or created it for its own treatment, payment, and health care operations activities. Similarly, HIPAA also permits the covered entity that collected or created the PHI to disclose it to another covered entity for treatment, payment, and in some cases, the health care operations of the recipient covered entity.

If the covered entity wishes to use or disclose the PHI for something other than treatment, payment, or health care operations, it must obtain patient authorization to do so, unless the use or disclosure is permitted by another provision of the HIPAA Privacy Rule. One important such rule is when a patient requests a copy of her PHI, and asks that it be sent somewhere else.

OCR recently clarified that, when an individual requests a copy of her PHI and asks that it be sent directly to a third party, a provider must comply except in very narrow circumstances.

In regards to the national priority of interoperability, nationwide interoperable health information technology (health IT) will help make the right electronic health information available to the right people at the right time for patient care and health, no matter the care setting, organization, or technology supporting the information exchange. HIPAA’s Permitted Uses and Disclosure are rules that run “in the background” in support of this important nationwide goal. These background rules are made transparent to individuals through Notices of Privacy Practices. And, as to privacy protections, the HIPAA Privacy Rule applies the same whether the PHI is on a piece of paper or is electronic. (The Security Rule, in contrast, applies only to electronic PHI.)

ONC has released two new fact sheets to breakdown HIPAA’s permitted uses and disclosures.


As discussed in the Exchange for Treatment fact sheet, under HIPAA, a covered entity provider can disclose PHI to another covered entity provider for the treatment activities of the recipient health care provider, without needing patient consent or authorization. Treatment is broadly defined. It includes making and receiving referrals; coordination or management of health care and related services by a provider, even through a hired third party (for example, a nutritionist); and several other functions.

Likewise, a covered entity can disclose PHI to another covered entity (CE) or that CE’s business associate (BA) for the following subset of health care operations activities of the recipient covered entity without needing patient consent or authorization:
  • Conducting quality assessment and improvement activities
  • Developing clinical guidelines
  • Conducting patient safety activities as defined in applicable regulations
  • Conducting population-based activities relating to improving health or reducing health care cost
  • Developing protocols
  • Conducting case management and care coordination (including care planning)
  • Contacting health care providers and patients with information about treatment alternatives
  • Reviewing qualifications of health care professionals
  • Evaluating performance of providers and/or health plans
  • Conducting training programs or credentialing activities
  • Supporting fraud and abuse detection and compliance programs.

In general, before a covered entity can share PHI with another covered entity for one of the reasons noted above, the following three requirements must also be met:

  1. Both covered entities must have or have had a relationship with the patient (can be a past or present patient)
  2. The PHI requested must pertain to the relationship
  3. The discloser must disclose only the minimum information necessary for the health care operation at hand.
Under HIPAA’s minimum necessary provisions, a provider must make reasonable efforts to limit PHI to the minimum necessary to accomplish the purpose of the use, disclosure or request.  If the covered entities are in an “Organized Health Care Arrangement,” or “OHCA,” as defined in the HIPAA Privacy Rule (45 CFR 160.103), additional capabilities may exist for interoperable exchange of PHI.

Surprise Medical Bills Addressed in 2017 HHS Budget

For the uninsured, seeking medical treatment almost always results in a costly medical bill. But, over the past few years, it's become clear that even if you have health insurance in the U.S., you're still susceptible to receive pricey medical bills—many of which can be a complete surprise.

For the insured, an expensive bill is expected when one visits an out-of-network physician. Lately, bills have been popping up in the least expected places. For these patients, charges roll in even though they did research and, presumably, went to an in-network hospital or saw in-network physicians.

President Obama’s 2017 budget for HHS takes action to eliminate these surprise bills.

Embedded within the 2017 budget is a provision to “eliminate surprise out-of-network healthcare charges for privately insured patients.” The administration would try to solve the problem by requiring physicians who “regularly provide services in hospitals” to accept in-network rates, even if they aren't in the insurer's network. Hospitals would also have to “take reasonable steps” to ensure patients see in-network physicians.

Usually, patients face unexpected charges because of large payment disagreements between insurance companies and physicians. Physicians will refuse to participate in an insurer's network if they believe arguing insurers are low-balling them. But, insurers say doctors ask for unreasonably high rates. Hospitals and patients are often left in the middle. Under President Obama's 2017 budget, patients would be removed from the disputes, and physicians would have to cave to the insurers' rates.

However, American Medical Association President Dr. Steven Stack said last year that he didn't like any approach that would “coerce physicians through yet another way to not receive sufficient payment,” indicated that the budget proposal won’t be popular with physicians.

President Obama's budget for 2017 stands pretty much no chance of moving through Congress, but it does reveal the president's final priorities for his own and future administrations.


The original article by Bob Herman can be found at the following address: http://www.modernhealthcare.com/article/20160211/BLOG/160219975?utm_source=modernhealthcare&utm_medium=email&utm_content=20160211-BLOG-160219975&utm_campaign=am


Friday, February 12, 2016

ONC Blog Series Part 1: HIPAA and Interoperability

In February 2016, The Office of the National Coordinator for Health Information Technology (ONC) launched a new four-part blog series to explain the permitted uses of health information under HIPAA. The series emphasizes that HIPAA not only protects personal health information from misuse, it also enables personal health information to be accessed, used or disclosed interoperably, when and where it is needed for patient care.

We begin our coverage of the four-part series with Part 1: The Real HIPAA Supports Interoperability. This introductory post establishes HIPAA as serving the dual functions of protecting personal health information from misuse and also enabling personal health information to be used between Covered Entities (CE) under specific conditions.

ONC released two new fact sheets which give numerous examples of when electronic health information can be exchanged without first requiring an authorization or a writing of some type from the patient, so long as other protections or conditions are met. HIPAA provides many pathways for permissibly exchanging Protected Health Information (PHI).


The new fact sheets remind stakeholders through practical, real-life scenarios, that HIPAA supports interoperability because it gives providers permission to share PHI for patient care, quality improvement, population health, and other activities.

Next week, the blog series will continue to delve further into Permitted Uses and Disclosures. As per ONC, Blog #2 will be background on HIPAA’s Permitted Uses and Disclosures: what they are, and how they advance the national goal of interoperability. Blog #3 will give examples of exchange of health information for Care Coordination, Care Planning, and Case Management, both between providers, and between provider and payers. Finally, Blog #4 will give examples of interoperable, permissible exchange of PHI for Quality Assurance and Population-Based Activities, including via a health information exchange.

Six Critical Imperatives for Progress in Healthcare

In 2015, healthcare spending eclipsed $3.2 trillion, which is 18% of the nation’s gross domestic product. CMS projects healthcare spending to reach $4.3 trillion by 2020 (18.5 percent of GDP) and $5.4 trillion by 2024 (19.6 percent of GDP). Healthcare costs are rising exponentially, putting the pinch on patients and providers alike. Every dollar spent on healthcare is a dollar that cannot be spent on a critical competing need both at the micro and macro levels of the economy. Knowing this, we must ask: is the best possible care being provided to patients? Is the care effective in reaching its goal?

Fred Bazzoli of Health Data Management, in his article “HIT Think: A Moon Shot for Healthcare: 6 Critical Imperatives,” proposes essential components that would give healthcare a chance to reach the ultimate goals that it needs to achieve. 

Six Critical Imperatives:
  1. Achieve interoperability: Patient information must be easily, seamlessly and automatically exchanged between any and all information systems. A patient's data ought to be accessible in full by clinicians and presented in a way that is comprehensive and easily understandable. 
  2. Develop usable, intuitive, and all-inclusive electronic health records systems: Caregivers should be able to use different EHR systems without having to labor at using them. In addition, records systems need to support all of a patient’s information, structured and unstructured, and also should support analytics efforts by clinicians and researchers.
  3. Solve caregivers' technology frustrations: Technology needs to make the lives of caregivers easier, not increase burdens. Technology needs to solve caregivers' problems, facilitate care, increase efficiency and make caregivers’ lives better, resolving enough of their pain points to encourage them to stick with their roles as the industry reinvents itself and not leave the profession.
  4. Maximize industry coordination and cooperation: Every caregiver must have all available information on a patient, and everyone can work together to wring out as much unnecessary cost as possible from the system. Data sharing between IT systems will play a crucial role in achieving this.
  5. Reduce administrative expenses to the bare minimum: Estimates of administrative expenses in healthcare traditionally have ranged from 20 to 25 percent of all industry expenditures. At the low end, that would mean $600 billion is spent on healthcare that’s not directly related to care delivery. Much of that money needs to be reallocated to areas such as clinical and operational research.
  6. Focus resources on deeply involving consumers in their health: Patients need to understand the importance of paying attention to self-care, whether that means taking on healthy habits, avoiding habits that are destructive and following care regimens. A restructured healthcare system needs to demonstrate it cares about patient health as much, if not more, than treating sick patients.
As the industry enters a period of uncertainty about the direction of health policy, it must get serious about improving care and cutting costs. IT can help, but the will must be there to use it.

Has the incorporation of technology in your organization's daily procedure helped or hindered effectiveness and efficiency? Do you have any suggestions for how to better integrate technology in practice? Let us know your thoughts and concerns in the comments below.



Tuesday, February 9, 2016

Hospital Company Sued Under FCC's Tighter TCPA Rules

In September 2015, we reported on the Declaratory Ruling and Order issued by the Federal Communications Commission (FCC) on July 10, 2015. In short, this ruling clarified several exemptions under the Telephone Consumer Protection Act (TCPA) regulations common to healthcare organizations. These issues were raised in a petition filed by the American Association of Healthcare Administrative Management (AAHAM) regarding the exemption from prior express consent of “healthcare-related messages.” [For a thorough breakdown of the ruling and its component parts, please see our post “Deconstructing the FCC’s Declaratory Ruling on TCPA Regulations.”]

Now, Prospect Medical Group’s Southern California Hospital at Culver City is one of the first providers to be targeted with a class-action lawsuit since the FCC’s July interpretive ruling. The lawsuit alleges that the hospital used an automated dialer to call patient Donna Ratliff on her cellphone in order to collect a debt and did not have her express consent to do so.

In its ruling, the FCC made it clear that debt collectors need express consent before dialing a cellphone and gave little leeway for when they reach a number that's been reassigned.

As of January 28, 2016, Prospect Medical Group claimed it was not formally served with a complaint. Yet, the company insisted it follows the necessary practices to obtain consent to call patients on their cellphones in that “all [of our] patients are asked to sign an irrevocable authorization permitting our hospitals to contact them via telephone—including, specifically, via cellphone—in their efforts to collect outstanding debt."

Attorney Bradley Andreozzi of Drinker Biddle suggests the best policy for any hospital is “to have written consent during the admissions process that is broadly worded to include all types of automated calls and texts.”

TCPA violations are already an active area for plaintiffs, with TCPA-related lawsuits increasing 560% between 2010 and 2014, according to ACA International, the Association of Credit and Collection Professionals. Penalties for TCPA infractions start at $500 per call and can reach as much as $1,500 for willful violations.

Still, the most controversial part of the FCC ruling – when a debt collector reaches someone in error – is left unexamined. The FCC allows medical debt collectors to call a number just once without penalty, regardless of whether someone picks up. ACA International has sued the FCC challenging the July order.

In sum, attorney Lewis Wiener of Sutherland, Asbill, & Brennan asserts that the best way for providers to protect themselves is to have a rigorous process for getting consent, use broad language, respect the wishes of those individuals who “opt out,” and whenever possible, use email to create a paper trail.

Has your organization developed a new protocol for obtaining patient consent in light of the FCC ruling? Do you feel sufficiently protected from exposure to litigation? Let us know your concerns in the comments below.


The original article by Beth Kutscher can be found at the following address: http://www.modernhealthcare.com/article/20160128/NEWS/160129854