Thursday, March 31, 2016

Petition sent to White House supporting a renewed dialogue on voluntary patient safety identifier


NAHAM calls on support for the following petition now pending with the White House –

Accurate patient identification is critical to providing safe care. We support a voluntary patient safety identifier and petition for the removal of the federal legislative ban that currently prohibits the US Department of Health and Human Services from participating in efforts to find a patient identification solution. Sharing of electronic health information is being compromised because of patient identification issues. Let’s start the conversation and find a solution.

The petition may be found at https://petitions.whitehouse.gov/petitions

NAHAM believes that congressional language that currently prevents the U.S. Department of Health and Human Services from engaging in any work towards the use of a unique patient identifier is harmful to national efforts to improve patient identification and matching. The congressional opposition to a universal patient identification scheme should not prevent a public discourse, including research and analysis of the challenges that will only increase with the move toward electronic healthcare records and the expectations of interoperability among healthcare systems. 
 
The petition is not calling on the adoption of a universal patient identification, nor does support of this petition equate to support for such a scheme.  In fact, the petition seeks spur interest and dialogue in a voluntary scheme, but importantly, a scheme that will include a unique patient identification.  Reinterpreting the congressional language that bans HHS from implementing a universal patient identification so that a robust public policy discussion can take place is long overdue.  Certainly our nation’s lead federal healthcare agency should be an active participant in the inquiry into the possibility that such an identifier could reduce patient safety risks associated with identity integrity.

NAHAM’s support of the petition is consistent with its Public Policy Statement: Patient Identity Integrity (October 2015), Patient Identity Integrity requires additional standardized data attributes in the absence of the universally adopted unique patient identifier, and its current work on developing standards for best practices in the collection of patient “data attributes” as identified by the Office of the National Coordinator’s (ONC’s) 2014 report, Patient Identification and Matching Final Report.  NAHAM believes that all of these resources must be in play to address current and prepare for increasing challenges in patient identification.

The petition, filed by the American Health Information Management Association (AHIMA) and posted on the Obama Administration’s We the People website, will be open through April 19 and will require 100,000 online signatures before it will be considered.  It is posted as “Remove the federal budget ban that prevents HHS from working on a voluntary patient safety identifier (MyHealthID)”.  

Monday, March 28, 2016

New Round of HIPAA Audits For Business Associates and How to Survive Them

As the role of analytics and electronic health records systems grows in healthcare, the number of vendors interacting with patient data has grown exponentially. Because of the numerous access points to patient data, the federal government appears to be clamping down on the sometime porous flow of patient data handled by contractors, whose security failures have been linked to the exposure of nearly 33 million individuals' medical records since 2009.

Under HIPAA, these contractors are referred to as “business associates.” And now, these business associates will be included as primary audit targets in the second round of HIPAA audits by the Department of Health and Human Services’ Office for Civil Rights.

The audit of business associates is necessary to keep out firms who are insincere about becoming HIPAA compliant, and are thus reckless with patient data.

According to Adam Greene, a partner in the Washington, D.C., office of Davis Wright Tremaine, some larger healthcare organizations have employed hundreds and in some cases as many as a thousand business associates.

In one sense, by including the business associates, the civil rights office is simply catching up with privacy and security rules it issued three years ago. But the OCR announcement also means that enforcement of these more stringent rules could give healthcare organizations more leverage to get stronger agreements with their contractors.

Upgrades to the HIPAA privacy and security rules in the health IT provisions of the American Recovery and Reinvestment Act of 2009 puts BAs on an equal legal footing with HIPAA covered entities – hospitals, physician practices, health plans and claims clearinghouses. That means vendors that violate the rules are subject to civil monetary penalties of up to $1.5 million a year.

The first phase of audits will involve OCR staff and special hires conducting “desk audits,” not requiring agents to go into the field. Covered entities will be asked to provide basic information about their business associates. “It won't be a complete list,” Green said, but it will provide a starting point for identifying business associates to audit.

Just as business associates now share equal legal liability under HIPAA, they've long shared culpability for data breaches, according to federal records.

That said, how can business associates “survive” a HIPAA audit? According to Hayes Management Consulting, there are six key steps to getting through a HIPAA audit successfully.

First, prepare and practice. Before the OCR audit, conduct an internal round of HIPAA compliance audits and risk assessment. To impress OCR, show proof of conducting such assessments on a regular schedule.

Second, evaluate your privacy and security policies. Perform an in depth assessment of your current privacy and security policies and procedures, or active HIPAA compliance program. Similarly, designate a HIPAA Compliance Officer. HIPAA privacy compliance should focus on PHI access, administrative requirements, uses and disclosures. For security compliance, concentrate on administrative physical and technical safeguards.

Third, perform an internal review of electronic files. Encrypt all electronic files, especially patient sensitive data. Verify and validate which electronic files are being encrypted, and which are not. Do this before any external audits are done.

Fourth, assess organization compliance risks. OCR Phase 1 HIPAA Audits revealed two-thirds of organizations could not demonstrate they were performing complete and accurate HIPAA security risk assessments. To ensure that your organization can meet compliance standards, start by inventorying all of the organization’s systems that handle ePHI, and develop some remediation action plans.

Fifth, compile a list of all vendors and business associates. OCR will ask to see all business associates that have access to your organization’s PHI. Include anyone that works behind the scenes with your hospitals, health plans or providers. For example, such associates include contractors, consultants, software vendors, and data storage companies.  

Sixth and finally, evaluate, evaluate, evaluate. Inspect your HIPAA policies and procedures, most importantly employee access, new hire employee training, ePHI policies, eFILE sharing procedures, faxing, emailing, notice of privacy policies, data breach mitigation, disaster recovery, data backup and be sure to update policies and procedures regularly.  



The original article by Joseph Conn can be found at the following address: http://www.modernhealthcare.com/article/20160323/NEWS/160329942?utm_source=modernhealthcare&utm_medium=email&utm_content=20160323-NEWS-160329942&utm_campaign=am

Thursday, March 17, 2016

NAHAM Public Policy Statement on Patient Identity Integrity


NAHAM issued its statement on Patient Identity Integrity last fall.  See NAHAM Public Policy Statement: Patient Identity Integrity (October 2015).  In this statement, NAHAM called for the development of additional standardized data attributes for improving patient identification.

Patient Access is at the forefront of the patient experience as broadly defined from the beginning of the revenue cycle with scheduling and pre-registration to the conclusion with bill payment.  Uniquely, Patient Access is also the initial step for ensuring proper care in the clinical setting – accurately matching the patient who presents at registration with the complete medical record.  Increasingly that means electronic health records, with complex challenges when the patient experience crosses between provider systems.

The NAHAM Public Policy Statement on Patient Identity Integrity attempts to succinctly make the case for Patient Identity Integrity (PII), as a practice essential to the provider setting and as a public policy imperative, calling for an additional set of patient identifiers to be used as a “standardized combination of data attributes” that can stand in the place of a unique patient identifier until such a mechanism is universally adopted. 

NAHAM's Public Policy Statement of Patient Identity Integrity follows -

Patient Identity Integrity requires additional standardized data attributes in the absence of the universally adopted unique patient identifier.

The National Association for Healthcare Access Management (NAHAM) recognizes and supports patient safety as a national health priority.  Patient identification errors through the registration process can delay patient care and increase the potential for patient harm.  Long term downstream effects include increased financial liability, diminished reputation, and decreased physician and employee loyalty.  Patient identity integrity (PII) ensures that healthcare access professionals identify and accurately match the right patient with his or her complete medical record, every time, in every provider setting.  Ensuring the right patient, right record, every time, is the first critical step in providing patient care.

PII processes should be prioritized and standardized to include:  principles that guide practice, policies and procedures, training and competency validation, standard scripting, defining acceptable forms of identification, naming conventions, search guidelines and algorithms, banding verification, establishing response guidelines for difficult situations, measuring and tracking duplicate records, and rapid response and resolution to errors.

NAHAM recognizes that current patient identification and matching procedures vary throughout the country.  Using two patient identifiers with a combination of secondary identifiers is standard and compliant practice.  Achieving the goal of eliminating patient identification errors nationally will require a unique patient identifier and/or a standardization of data capture as well as a standardized combination of data attributes that support Patient Identity Integrity.

Monday, March 14, 2016

Trends in Consumer Access and Use of Electronic Health Information

In ONC Data Brief 30, trends in consumer access and use of electronic health information are examined. Over the past few years, a number of policy changes have been put in place to increase individuals' access to their personal electronic health information. HIPAA was modified to clarify that if an individual's health information is available electronically, individuals have a right to obtain that information electronically. In Stage 2 Meaningful Use, CMS requires eligible providers and hospitals participating in the Medicare and Medicaid EHR Incentive Program to use certified EHR technology with the capability for patients to electronically view, download and transmit (VDT) their health information electronically. From 2011 to 2014, participation in the Blue Button Initiative, a public-private partnership to increase consumer access and use of their health data grew from 30 organizations to more than 650. This brief provides national estimates of consumers' access and use of their electronic health information based upon nationally representative surveys conducted from 2012 to 2014.


The data reveal 9 major trends:

1.       Individuals' electronic access to their medical records increased significantly in 2014. In 2014, nearly 4 in 10 Americans were offered electronic access to their medical record. The proportion of Americans offered online access to their medical records rose by more than a third between 2013 and 2014.
2.      In 2014, over half of individuals who were offered access viewed their record at least once within the last year. About one-third of individuals accessed their medical record one to two times in 2014 whereas about one-fifth of individuals accessed their online record once or twice in 2013. In both 2013 and 2014, about one in ten individuals accessed their online medical record more than 6 times over a one-year period.
3.      Almost all individuals report having access to laboratory results within their online medical record. Among individuals using online medical records, more than 90% report having laboratory test results in their record. Among individuals who have used an online medical record, almost 8 in 10 report having a list of health and medical problems in their online medical record. Approximately three-quarters of individuals report having access to a current list of medications within their online medical record.
4.      Individuals most commonly use online medical records for monitoring health. In both 2013 and 2014, about seven in ten individuals who accessed their online medical record, used it to monitor their health. Approximately one-third of individuals downloaded information from their online medical record in 2014; rates of downloading were similar in 2013. Rates of sharing information with at least one other individual or party decreased between 2013 and 2014; however, these decreases were not significant. In both 2013 and 2014, about one in ten individuals used their online medical records to correct medical records. In both 2013 and 2014 about one in ten individuals used their online medical records to transmit their data to somewhere else, such as a PHR or app.
5.      In 2014, 8 in 10 individuals who accessed their medical record online considered the information useful. In 2014, fewer than 5% of individuals who had used an online medical record within the last year considered it 'not useful.' Between 2013 and 2014, there was a significant increase in the proportion of individuals who were neutral about the usefulness of their online medical record. The proportion of individuals who considered their online medical records as 'not useful' and as 'useful' significantly declined between 2013 and 2014.
6.      Lack of need remains the top reason for not accessing an online medical record. In both 2013 and 2014, about three-quarters of individuals who did not access their online medical record indicated they didn't access it because that they did not have a need to use it. About one in ten individuals who did not access their online medical record indicated it was because they had more than one online record. Although not a statistically significant difference, fewer individuals noted privacy or security concerns in 2014 as a reason for not accessing their online medical record compared to 2013.
7.      Over one-quarter of individuals either didn't believe they had a right or were unaware of their right to an electronic copy of their medical record. Almost three-quarters of individuals of individuals were aware of their right to access their medical record electronically. Individuals who were aware of their right to access their medical record electronically were offered online access to their medical record by their health insurer or health care provider at significantly higher rates compared to individuals who were not aware or did not believe they had a right to an electronic copy of their medical record were offered online access.
8.     In 2014, almost one-in-five individuals whose health care provider had an EHR requested their health care provider electronically exchange their medical record. Over two-thirds of individuals report their health care provider has an EHR. Across all individuals nationwide, regardless of whether their provider has an EHR or not, over one-in-ten individuals (12%) requested their health care provider electronically send their medical record to another health care provider.
9.      Among individuals who visited a health care provider within the past year, over one-third experienced at least one gap in information exchange in 2014. Although there was a decline in the proportion of individuals who experienced at least one gap in information exchange between 2012 and 2014, these do not represent significant changes. Having to recount one's medical history because the health care provider did not receive records from another health care provider is consistently the most common gap in information exchange experienced by individuals between 2012 and 2014. Other common gaps in information exchange that remain issues in 2014 relate to test results; this includes having to bring test results with you to an appointment (15%) and having to wait for test results longer than you thought reasonable (11%).

In short, there is a significant opportunity for consumer outreach to increase individuals' awareness regarding electronic access and use of online medical records. Individuals' who were aware of their right to a copy of their electronic medical record had significantly higher rates of being offered online access compared to those who were unaware or incorrectly believed they didn't have this right. A lack of need remains the most frequently cited reason for not accessing an online medical record. Illustrating the value of using an online medical record to manage one's health and address information gaps among providers could increase usage among those individuals who cited a lack of need as a reason for not accessing an online medical record.


What do you make of the results? Has your organization promoted electronic access and use of online medical records by patients? Do you think there are any potential problems with allowing patients open online access? Let us know in the comments below.

Thursday, March 10, 2016

GAO Finds Smart Cards Won't Stop Most Healthcare Fraud

Regardless of one’s political affiliation, the elimination of fraud from government healthcare programs is an issue universally supported. In 2014, the Department of Justice spent $571 million to find and prosecute fraud and recover $3.3 billion in settlements.

A proposed solution to cutting fraud is incorporating technology. Recently, the Government Accountability Office conducted study examining whether electronically readable card technology, or “smart cards,” could weed out fraud by properly identifying beneficiaries or providers at the point of care.

In the report, the GAO found that smart cards could spot some types of fraud, but not most. This is because the vast majority of cases involve schemes in which the beneficiaries or the providers—or both—were complicit in the action.

GAO ran tests of 739 fraud cases from 2010 to determine whether the use smart cards would have made a difference. The results were not promising: in only 165 cases (22%) would smart cards have been able to prevent fraud.

The investigators gave several reasons why smart cards are not a cure-all for Medicare and Medicaid fraud. The most common fraud schemes involve billing for services that were not provided (43%) or for medically unnecessary services (25%), and in the case of Medicare especially, the patient may not even be aware that the service is not needed. Other schemes involve falsifying records to support fraud (25%) and fraudulently obtaining controlled substances or mis-branding prescription drugs (21%).

In sum, GAO finds that when it comes to fraud, providers are complicit 62% of the time, while beneficiaries are at fault 14% of the time.  



The original article by Mary Caffrey can be found at the following address: http://www.ajmc.com/focus-of-the-week/0216/smart-cards-wouldnt-stop-most-healthcare-fraud-gao-finds?utm_source=Informz&utm_medium=AJMC&utm_campaign=MC%5FMinute%5F2%2D24%2D16

Monday, March 7, 2016

Disparities in Individuals' Access and Use of Health Information Technology

ONC Data Brief 34, published last month, examined the disparities in individuals’ access and use of health information technology in 2014. Findings from nationally representative surveys show that individuals' use of information technology (IT) for health needs increased significantly between 2013 and 2014. Prior analysis revealed that disparities in online access of medical records and use of IT for health-related needs existed by certain socio-demographic characteristics and geographic settings in 2013.

The data reveal 5 major trends:

1.       Individuals whose provider had an EHR were offered online access to their medical record at three times the rate of those whose provider does not. In 2014, individuals whose provider had an EHR had significantly higher rates of using IT for health needs compared to individuals whose provider did not have an EHR. The percent of individuals offered access to online medical records, emailing providers, and looking up test results online increased between 2013 and 2014; however, the rate of increase was greater among those whose provider had an EHR.
2.      Individuals with lower incomes and less education had significantly lower rates of being offered online access to their health information. While about half of individuals with incomes of $100,000 or more were offered online access to their health information, only about one-quarter of individuals with less than a $25,000 annual income were offered online access. Individuals with more than a four year college degree were offered online access at about twice the rate as individuals who had a high school degree or less.
3.      Individuals who had difficulty speaking English were offered online access to their medical records at significantly lower rates. While 39% of individuals who spoke English very well or well were offered online access to their medical record, only 15% of individuals who didn't speak English well and only 5% of those who didn't speak English at all were offered online access to their medical record. Almost twice as many white, non-Hispanic individuals were offered online access to their medical record as compared to Hispanic individuals.
4.      Among individuals offered online access to their medical record, those with higher incomes and more education were more likely to view their record. Individuals with annual incomes of at least $50,000 had significantly higher rates of viewing their online medical record compared to individuals with incomes less than $25,000. While almost two-thirds of individuals with annual incomes higher than $100,000 viewed their online medical record at least once within the past year, only about one-third of individuals with incomes less than $25,000 viewed their record within the past year. Individuals with a high school degree or less had significantly lower rates of viewing their online medical record compared to individuals with more than a four-year college degree. Individuals with a four-year college degree or more education were over twice as likely to view their online medical record compared to those without a high school degree.
5.      Individuals with more education and higher income use certain types of IT for health-related needs at significantly higher rates. Individuals 50-59 years of age had significantly higher rates of text-messaging and emailing their provider, looking up online test results, and using a mobile health application compared to individuals 70 years or older. Individuals with no disabilities had significantly higher rates of emailing their provider and using a mobile health application than individuals with a disability. Individuals residing in rural areas have significantly lower rates of emailing their provider, looking up test results online and using a smart phone health application compared to individuals residing in suburban settings.

What do you make of the results? Do your experiences with patients reflect the data above? Let us know in the comments below.

Friday, March 4, 2016

ONC Blog Series Part 4: Quality Assessment/Quality Improvement and Population-Based Activities Examples

The fourth and final installment of the ONC’s four-part blog series on HIPAA, “The Real HIPAA: Quality Assessment/Quality Improvement and Population-Based Activities Examples,” focuses once again on illustrating the interoperability of HIPAA through examples. The examples are a continuation of Part 3 and are taken directly from the ONC’s blog post.


Example 4: Quality Assessment/Quality Improvement – 45 CFR 164.506(c)(5)

Providers participating in the ACO/OHCA may permit the ACO quality committee to access the Protected Health Information (PHI) needed for the quality assessment. An Accountable Care Organization (ACO) that consists of multiple providers operating as an Organized Health Care Arrangement (OHCA) has a quality committee made up of professionals from within the ACO. In order to improve patient health and meet Medicare’s quality improvement requirements, the quality committee plans to obtain and review treatment and health outcomes of ACO patients who experienced hospital-acquired infections and surgical errors.

Where the ACO is not operated as an OHCA, but the quality committee is evaluating care quality on behalf of the individual providers in the ACO, the providers participating in the ACO may permit the ACO quality committee to access the necessary PHI for the quality assessment, but only for patients whom the requesting and disclosing providers have in common, pursuant to 164.506(c)(4), instead for all the patients in the ACO.
In both instances, (OHCA and non-OHCA), access to, or disclosure of, electronic PHI can be made using Certified EHR Technology, so long as the HIPAA Security Rule is complied with.


Example 5: Quality Assessment/Quality Improvement – 45 CFR 164.506(c)(1) and (c)(4)
As part of a quality review, a health care provider may need to know the health outcome of a patient that the provider treated but no longer has contact with (e.g., patient was transferred to another provider). The provider may query a Health Information Exchange (HIE) for the relevant health outcomes of the individual, or the provider could directly ask the subsequent provider for information.


Example 6: Population-Based Activities – 45 CFR 164.506(c)(1) and (c)(4)A provider that has treated the patient and is responding to this query may use Certified EHR Technology to send the relevant information directly to the requesting health care provider, or may disclose to the requesting provider using the HIE. Disclosure of electronic PHI by Certified EHR Technology or other electronic means requires HIPAA Security Rule compliance. This scenario also works for health plans with a relationship with the patient; it is not limited to providers.
Unaffiliated hospitals in the same community often see the same patients and may not be able to tell whether a patient’s hospital-acquired infection resulted from care received at the current treating hospital or from a prior visit to a separate hospital in the community.

The hospitals that have treated or are treating the patient may use Certified EHR Technology to share relevant PHI to try to determine the source and/or cause of the infection in order to prevent further infections.

Disclosure of electronic PHI by Certified EHR Technology or other means requires HIPAA Security Rule compliance.


This post concludes the four-part series on HIPAA.

Tuesday, March 1, 2016

Health Groups Aim to Make Medical Records Easier to Access

On February 29, the Obama administration announced that technology companies, hospital systems and doctors' groups have agreed to take steps to make electronic health records easier for consumers to access and use.

While most care facilities have adopted digital practices, the systems used are often insular and do not transmit information to each other, limiting their usefulness to patient. The latest initiative is meant to speed removal of technological bottlenecks. It is unclear how immediately impactful the initiative will be, as President Obama leaves office in less than a year.

To date, $27 billion in government subsidies have been distributed to encourage the adoption of electronic medical records by hospitals and doctors’ offices. But the results so far have fallen short of the data-driven transformation that proponents envisioned. With new personal health applications for mobile devices hitting the market, there is a renewed push to clear obstacles rooted in different technologies and clashing competitive priorities among vendors and health care providers.

The agreement announced by the Obama administration covers 16 health care technology companies, which all-together represent approximately 90% of hospital electronic records used nationally. But, the announcement also lacked a hard timetable.

The 16 companies have pledged to:

1.       Improve consumer access. Theoretically, patients would be able to easily access their records from one provider and transfer them to another. That second provider would be able to seamlessly import the earlier records into its system.
2.     Stop blocking health information sharing. A 2015 ONC report found that some health care organizations were blocking the sharing of information outside their group.
3.      Put standards for secure efficient digital communications into effect, which would allow different systems to more easily transmit information with each other.

Joining the technology companies are major hospital systems such as Hospital Corporation of America and Tenet Healthcare, as well as insurers like Kaiser Permanente. The American Medical Association, the American Society of Clinical Oncology and other medical groups are also participating.



The original article can be found at the following address: http://nyti.ms/1Qp4Q1w