Site moved to, redirecting in 1 second...

224 posts categorized "Hospitals"

June 24, 2013

Hacking HIPAA


Join me in attacking an endemic problem in health care today by Hacking HIPAA. I am crowdfunding the development of a new legal form to be used on and after September 23, 2013 to allow patients to opt-in to easier health care communications - a Common Notice of Privacy Practices that is patient-focused. (Text me, please! Email me, please! etc.) Depending on how much support this project garners, we can attack some related problems as well. Contributions at any level are welcome; contributions at the levels designated on the Hacking HIPAA Medstartr page get you a seat at the virtual table, voicing your concerns that need to be met in the CNPP and in follow-on projects.

I'm working on this project with two leading health care open source software developers, Ian Eslick and Fred Trotter. Check out Fred's video intro to the project on the Medstartr page - you can find Ian and Fred online via the links on the project page, too.

Here's an excerpt from the crowdfunding project page:

Continue reading "Hacking HIPAA" »

May 19, 2013

Hospital Chargemasters and Open Data from CMS -- The conversation continues

MH900059592When CMS recently released hospital chargemaster and payment data for the 100 hospital codes most frequently billed to Medicare, there was much written and said about the significance of the data release.

Some found this to be significant; others (including your humble HealthBlawger), not so much.

Leonard Kish summed up and addressed the critiques of the value of the CMS open data, and others whose judgment I also respect found that the release was overall a good thing. Gilles Frydman, for one, in a listserv exchange, opined that the release was a net positive because it thrust the irrationality of hospital pricing into the public eye, and that "[i]f enough people get angry, a public push for more transparency will follow."

I can accept the proposition that data will be valued differently by different parties. However, I want to throw something else into the mix: We are collectively trying to move away from fee-for-service medicine. As the saying goes: the future is already here; it just isn't evenly distributed. Some are further down the path than others. I think that our time and effort is better spent on ensuring that value-based purchasing systems are up and running, rather than on improving the pricing transparency of FFS medicine.

Eighty-two percent of health plans responding to a recent survey consider payment reform a ‘major priority.’ Nearly 60 percent forecast that more than half of their business will be supported by value-based payment models in the next five years. And, of those, 60 percent are at least mid-way through implementation, according to a study published May 9 by Availity, a health information network.

The Health Plan Readiness to Operationalize New Payment Models study delves into the progress of the country’s commercial health plans, as they migrate from fee-for-service to value-based models of compensating physicians, according to a news release by Availity. The study highlights the consensus among plans that information sharing with physicians must be automated – primarily in real-time – for these models to achieve success.

HealthcareIT News.

On the Medicare front, ACO development and other initiatives of the Center for Medicare and Medicaid Innovation are moving the system away from FFS medicine as well.

There's a system-wide bet that's been placed on value-based payment. Historical amounts charged and paid shouldn't really enter into the construction of this framework, and that's part of what underlies my negative reaction to the release of the chargemaster and payment data. We should be more focused on things like: revaluing primary and preventive care, global budgeting for episodes of care, adoption and refining of meaningful quality measures and quality-based payment systems (even though not all VBP schemes are working) -- all to the same end as the end sought by those who have been cheering the release of the charge and payment data: transparency and a clear connection between payment and delivery of value.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting  

May 10, 2013

The federales' open data policy and the Medicare hospital chargemaster data dump ... Please don't inundate us with junk.

Data-2So just about everyone is pretty pumped about the White House announcement of its new open data policy.

Todd Park gives us the skinny on the latest in Open Government -- The Executive Order and related Open Data Policy -- in 60 seconds. (Gotta love that guy.)

In general, when it comes to data, the more the merrier, right? Data shared by the government to date -- including GPS data and weather data from satellites -- have spawned whole ecosystems of products and services. Tim O'Reilly sees this initiative as creating a new platform -- and sees tech development as keyed to introduction of new platforms (e.g., the PC). I look forward to more cool stuff that we can't yet imagine coming down the pike as a result of this initiative.

On the health care front --      

the Administration’s current Health Data Initiative, which has opened government-held data on hospitals, drugs, insurance products, healthcare costs, and more in machine-readable form, has already contributed to hundreds of new products and companies that are transforming health care delivery and improving patient health.  Just yesterday [5/8/2013], Medicare published data that for the first time gives consumers information on what hospitals charge for common inpatient procedures, signaling a major step forward for hospital price transparency and accountability.

They had me until "just yesterday." I'm down with the Health Data Initiative, and look forward to seeing some interesting uses of de-identified government data streams at the Health Datapalooza next month in DC, but the feds need to remember that while there is great value to pumping out data and seeing what folks can do with it, there is the risk that some of the data is, well, garbage, and that for it to have value it must be refined up the pyramid into information and knowledge -- yielding, we hope, some wisdom.

The data on hospital charges for the one hundred most common codes on the Medicare hospital claims database released to great fanfare this week is just that -- data. Since neither Medicare nor any other payor actually pays hospitals based on those charges, the many many news stories (here's one or two f''rinstance) about the differences in charges from one hospital to another (the hospital responses to the accusatory questions about high charges are all of the Lake Wobegone variety ... their patients are all, well, above average) gloss over the fact that what we have here is data, but no useful information. Payment amounts are included as well, but Medicare fee schedules with local modifiers are published annually, so this is new presentation of data that's already out there.

That's not to say that there can be no knowledge gleaned from Medicare data -- check out the Dartmouth Atlas, folks -- just that this time out there is, in the words of the poet, too much of nothing.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting 

May 07, 2013

Ponemon Institute study finds outdated communications technologies cost U.S. hospitals $8.3 billion a year

I spoke with Sean Kelly, CMO of Imprivata, a health IT company with single sign-on and secure SMS solutions that commissioned the study, entitled The Economic & Productivity Impact of IT Security on Healthcare (PDF).

The audio file of my interview with Sean Kelly (about 20 minutes long) is available for download/podcast, or may be played here:

Sean Kelly - Imprivata - Cost of Outdated Technology

Sean Kelly - Imprivata - Cost of Outdated Technology

A full transcript is available as a PDF (Sean Kelly - Imprivata - Interview) and is reproduced below. 

From the presser:

Economic and Productivity Impact of Outdated Communications Technology

  • Clinicians estimate that only 45 percent of each work day is spent with patients; the remaining 55 percent is spent communicating and collaborating with other clinicians and using EMRs and other clinical IT Systems.
  • According to the study, clinicians waste an average of 46 minutes each day due to the use of outdated communications technologies. The primary reason is the inefficiency of pagers (as cited by 52 percent of survey respondents), followed by the lack of Wi-Fi availability (39 percent) and the inadequacy of email (38 percent).
  • The Ponemon Institute estimates that this waste of clinicians’ time costs each U.S. hospital $900K per year, and based on the number of registered hospitals in the U.S., this translates to a loss of more than $5.153 billion annually across the healthcare industry.
  • Similar deficiencies in communications lengthen patient discharge time, which currently averages 102 minutes. About 37 minutes of this is due to waiting for doctors, specialists or others to respond with information necessary for the patient’s release. The Ponemon Institute estimates that this lengthy discharge process costs the U.S. hospital industry more than $3.189 billion annually in lost revenue.
  • Sixty-five percent of respondents believe secure text messaging to communicate with care teams during the discharge process can cut discharge time by 50 minutes. 

Effects of Regulations on the Delivery of Patient Care and Technology Adoption

  • Fifty-one percent of survey respondents say HIPAA compliance requirements can be a barrier to providing effective patient care. Specifically, HIPAA reduces time available for patient care (according to 85 percent of respondents), makes access to electronic patient information difficult (79 percent) and restricts the use of electronic communications (56 percent).
  • Additionally, 59 percent of survey respondents cite the complexity of compliance and regulatory requirements as the primary barrier to achieving a strong IT security posture.

While health IT did not create the need for clinicians to spend time reviewing and updating patient records, the promise of health IT -- to make things easier for clinicians, better for patients and more efficient and cost-effective for all of us -- is a matter for the future.  As the saying goes, "The future is already here -- it's just not evenly distributed." Kelly makes the case for SSO and secure SMS, and the Ponemon study provides a snapshot evoking the scope of the opportunity.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting


HealthBlawg :: David Harlow’s Health Care Law Blog

Interview of Sean Kelly
Chief Medical Officer, Imprivata

May 7, 2013

David Harlow: This is David Harlow with HealthBlawg and I have with me today Sean Kelly, the Chief Medical Officer of Imprivata, which is providing some interesting new services and has news about a recent study which was conducted regarding communications systems that are in place in hospitals today and how that helps or hurts our healthcare system. Sean, thank you very much for speaking with us today.

Sean Kelly: My pleasure, David.

David Harlow: So Sean in an nutshell what can you tell us about this new study and what it may mean for folks looking at this from the hospital perspective?

Sean Kelly: Sure, the study was conducted by the Ponemon Institute and it’s entitled Economic and Productivity Impact of IT Security on Healthcare. It explores essentially the impact of security in people’s perception of how their workflow happens in the hospital both with regard to HIPAA compliance and security issues as well as with efficiency and convenience and the ability to take care of patients. Some of the higher level points that came out of the study are that doctors and other caregivers including nurses and other people who have direct patient contacts feel like they spend really less than 45% of their time actually caring for patients and in direct patient care, face-to-face contact. They also feel that outdated technology leads to at least 45 minutes a day of wasted time. The economic impact of this amount of time being wasted with outdated technologies can amount to a significant amount per hospital -- probably close to $1 million per hospital per year in the United States, and when you add all that up that over $8.3 billion per year in the US alone. This is probably a problem with economic impact around the globe as well although this study was conducted on participants in the United States alone.

There is a lot of subjective information that came back as far as people’s information and opinions about what the cause of some of these delays were. Specifically they cited the inefficiency of pagers, the lack of WiFi availability and inadequacy of e-mail as well as the fact that text messaging wasn’t allowed. They felt that a lot of these things led to the inefficiency and inconvenience at work as opposed to what they’re used to in their consumer life.

I’m a practicing emergency physician as well as the Chief Medical Officer at Imprivata and I can tell you that there is a lot of promise and potential that comes with technology and there is also a lot of difficulties with it as well. Traditionally in healthcare we’ve seen a lot of tension between security concerns and convenience and we see this at Imprivata since we provide a single sign on solution addressing some of the pain points around the fact that providers are required to log on and authenticate just about every time they touch protected health information. This is a reasonable thing to ask providers to do because you really want to have an audit trial – it’s required by HIPAA to be compliant it’s very necessary and proper to have good security barriers in place because you really want to make sure patients’ private information is protected and it’s really the right thing to do.

The problem is a lot of these systems inherently can be difficult. In my life as a practicing doctor on a typical shift in the emergency department I might log on and off of systems hundreds of times per shift for multiple patients and try to navigate back and forth between my electronic medical record and the PACS system to look up X-rays and other radiologic findings I might go to other clinician applications such as Up-to-Date or epocrates or other websites and for every one of these jumps between and navigating around the system I might need to log in or log out or try to boot something up or close it down and every one of those points can cause delay -- not just in the time but also in cognitive disruption of my thought process, and so it’s really important to make sure that we have sort of a latest and greatest technology to allow us to do our jobs as physicians.

David Harlow: Right -- so it sounds like the single sign on solution would address something like that, that problem that you describe in the emergency department. And my understanding is that you’re talking also about another solution in terms of trying to ease the pain and reduce the time that’s spent on these various tasks in the day in the life in the hospital, is this a texting solution?

Sean Kelly: Yeah, I think it’s important for people to understand that healthcare is still reliant on some outdated technology -- specifically pagers -- and just to give you an example of what a typical workflow might be in a hospital, is that to page a colleague, whether it’s a nurse that you need to try to find out something or order not necessarily something you do through the EMR but if you just want to find out Room 7 has had a recent vital sign performed or oxygen saturation level or something you might page the nurse and the pager system as it currently exists might be unidirectional and so I would go to a desktop, have to log on, open up an application, look at what nurse is on call for a patient that’s on duty at that time, send the page out to that person who may or may not contact me back and that unidirectional message flow can get lost out there, it’s hard to know, there is no read receipt, I’m not sure if it’s delivered or read -- there is no easy way to just text me back and say well, yes, that was performed or no, it was not performed but I’ll do it, or actually the result is 97% on room air.

And that kind of inability to just quickly send a message out, have it come back, complete the workflow in the current state of affairs in most places makes it difficult, especially when I walk into the hospital and in my pocket is this very efficient tool that I’m used to using all the time in my consumer life, where I can text message back and forth and get a quick reply, finish my thought process, move on to the next step. When I’m trying to discharge a patient from the hospital or from the emergency department there are many, many different points in that workflow that can lead to delay and in this study for example they found that it may take over 100 minutes to get a patient discharged from a hospital of which 37 minutes or more might be spent just trying to contact physicians and hear back from them that it’s okay to discharge a patient, or there might be one last minute thingthey need to clear up and this kind of operational flow issue would be very ideally solved with the text messaging platforms.

David Harlow: Right. So these issues aren’t new but I guess what you’re suggesting is that there is a solution just beyond our reach or maybe now just within our reach, but the problem as you state it is not a new problem. There has always been a need for people to be reviewing records, consulting with colleagues in the course of caring for an inpatient and it’s been traditionally a paper process but now with Meaningful Use starting to take hold, do you see an improvement on that front? Are these numbers based on a recent survey? Is there an older survey to compare these against? It just seems to me that there has been some improvement over time and perhaps things are better than they were but not quite as good as they could be.

Sean Kelly: Yes it’s a very good point you raised. I think it is a double-edged sword there are lot of things that have certainly improved with the advent of electronic medical records and computers are good at a lot of things. For example, when we’re about to discharge someone home, it’s very nice to be able to take their current medication list and when you write a new prescription the computer is very good at cross checking the drug- drug interactions or looking up their past listed allergies or reminding me that they’re due for their flu vaccination, and so from a population health standpoint and even from a patient care standpoint there are a lot of things that technology does for us, and you’re right, though, that the problem has been in existence for a while where we’re trying to figure out all these different moving parts and be as efficient as possible -- that problem has been around.

Now we have tools that we can use to help solve those problems so that we can bring technology to bear. The issue in the past couple of years with acceleration of adoption of a lot of different technologies, as healthcare starts to finally catch up to a lot of the rest of the world, the issue is this again this tension between security and convenience or efficiency, and the problem is that since we’re required to make sure that we’re absolutely compliant from a HIPAA standpoint we traditionally haven’t been able to use things like SMS texting because it’s not HIPAA compliant or secure and above all else we have to make sure we hit that threshold. So the solution we created was really due to feedback from hospitals saying we want this tool but it needs to be ironclad secure, and so we as a healthcare security company set about working on this as a solution to help address the pain that’s out, to say doctors and nurses want security and efficiency. If there is a tool that works they will do the right thing and use it, but it has to actually work and it has to actually be secure enough to satisfy the security officer at the hospital in order to be enabled on a hospital-wide basis and okayed for use by endpoint clinicians.

David Harlow: My readers and I are at varying levels of sophistication when it comes to the technical details behind this but I wonder if you could delve in a little bit and explain how the product or service achieves this level of security?

Sean Kelly: Sure, and my specific role is Chief Medical Officer and so I’m also not a security officer, I’m a workflow person and I understand workflow from the clinician’s perspective, but what we have done is we’re in conjunction with a lot of our partner hospitals to work with their security officers to make sure that we are compliant with their needs to be HIPAA compliant, and the long and the short of that is that instead of using just an SMS text platform where messages and pictures and everything else lives on the server or on the phone itself and is not HIPAA compliant what we’ve done is create a protected area within an app. So this is essentially an app that you download to the phone, users are enabled by the hospitals it syncs to their active directory and you can immediately enable or disable users on to the system and it’s configured in such a way that everybody that the hospital wants to be visible to each other on this network within this app can be visible to one another but if you’d like to remove somebody you can erase them immediately and all the Protected Health Information or PHI along with their conversations just go away -- no longer visible for that person, it lives within the app.

David Harlow: And then do the conversations reside on a hospital server of some sort?

Sean Kelly: So the conversations reside in the cloud on a server that is accessible only to the hospital. It’s encrypted so that the hospital is the only one who can see the protected health information within it. We will see usage stats and we will know messaging information about how much is being used and by whom in the hospital but we won’t see any of the information within that -- that’s encrypted and only visible to the hospital users themselves -- to the admin and to the end users within the hospitals, and for greater detail on the security measures involved I’d be happy to let readers or you hook up with people on our end that are experts, but our basic strategic process has been: let’s pick the information security officers that we know around the country and the world that are the most strict, make sure it meets their needs because if it meets their needs as to hospital IT then it will certainly meet the needs of the others who are less stringent out there and as long as it meets their needs and we’ve gone through that due diligence and we sign business agreements stating that we’re HIPAA compliant as a vendor, then hospitals are comfortable as per their policy to enable users on this, and then on the other end we want to make sure that we are creating the best user experience and the user satisfaction in a very healthcare centric way for the end users specifically physicians, nurses, administrators, other caregivers within the hospital.

David Harlow: Okay. You mentioned earlier that you’re focused on this from a workflow perspective and I’m wondering if there are other changes to workflow in your typical hospital - if there is such a thing - that could be looked at in order to alleviate some part of this problem that you’re trying to solve?

Sean Kelly: Yeah, I think the possibilities are certainly exciting. Once you have a platform in place that allows for control of your desktop and easier access in and out of systems throughout the desktop -- which is part of our core offering with single sign on and authentication and sort of a trust fabric of authentication -- and you have endpoints involved where you’re reaching out and those messages that get out sent out to endpoints like mobile devices and you’ve got providers within the network able to now have secure messaging back and forth now things get really interesting because you can really accelerate the provider’s ability to provide good care because you’re making their workflow much more efficient, and so this is where we’re actually the fun just gets started once people start to use it because then they realize, okay well there are these Meaningful Use guidelines or there are these problems as an Accountable Care Organization where we need to really enhance communication between our facilites when we do interfacility transfers, or we really need to make sure we prevent congestive heart failure readmissions and we think that the best way to do that is to facilitate communications between our case managers and our primary care doctors and our cardiologists so here is a package of communications that we could enable using CorText which is the secure messaging platform, along with some of our ability to automate which applications pop up when someone signs on in the cardiology unit and you could picture a hospital now structuring because they have just enough of these different secure collaboration communication tools to really create an interesting package that can be used as a template by different hospitals to address a particular clinical problem and just like someone comes up with a really good stethoscope and then it’s up to the caregivers to figure out how they’re going to best use it to care for a patient -- technical tools in a way are similar. We’ve created a very secure way of communications I don’t know that we’re going to try to tell doctors and nurses and hospitals this is how you should use it -- we can say here are examples of how we think it can be used work with us to tell us how it could be the most valuable to make your jobs easier and make your patients lives better so that’s sort of the goal.

David Harlow: Right - sounds good. Well it’s an exciting time and that’s a very interesting tool, set of tools that you’re developing. I thank you for taking the time to share with us today. This is David Harlow and I’m speaking with Sean Kelly, Chief Medical Officer of Imprivata. We’ve been talking about CorText, their secure texting service and related products as well. Thank you for listening on HealthBlawg.

February 04, 2013

HIPAA Omnibus Final Rule – What’s in it for Patients?

After years of delay, the federales finally finalized the HIPAA Privacy, Security, Breach Notification and Enforcement Rules.


The Final Rule offers significant changes to patient rights and patient protections. (There is much more to the rule, but other aspects are not addressed in this post. Here you may find a link to the HIPAA Omnibus Rule, a Google+ Hangout taking a first look at the rule as a whole, and a bullet-point summary of the hangout; here you may find a piece I wrote on the Breach Notification Rule.  Some work remains to be done on other parts of the HIPAA rules, such as the accounting of disclosures provisions.)

Before detailing the patient-focused changes, a bit of broad-brush background is in order. The original HIPAA privacy and security rules are all designed to protect the privacy and security of "protected health information" (PHI) of individual patients. PHI may be shared among health care providers and payors (and health care clearinghouses - a type of claims processor) (collectively, Covered Entities or CEs) for purposes of treatment, payment and operations (TPO) without asking patients for permission. Any other use or disclosure of PHI requires patient consent. Some CE operations require dealings with Business Associates (BAs) -- entities that are not CEs, but that end up using PHI to help CEs carry out their TPO responsibilities (e.g., medical records vendors, billing companies, etc.). Every CE is required to give patients a Notice of Privacy Practices (NPP) and to enter into a Business Associate Agreement (BAA) with each of its BAs, under which the BA agrees to maintain the privacy and security of PHI.

The  amendments collected in the Final Rule are promulgated under the HITECH Act (the portion of the 2009 Recovery Act that also funded the Meaningful Use EHR incentive program) and GINA (the Genetic Information Nondiscrimination Act of 2008).  The amendments under the HITECH Act added additional privacy and security protections to HIPAA in order to allay concerns that, with the promotion of more widespread use of electronic health records, there would be more opportunities for breaches of the privacy and security of PHI. Amendments under GINA harmonize HIPAA regulations with GINA regulations.

So, without further ado, here are the highlights:

Business Associates are held to the same strict standards as Covered Entities

Business Associates and their subcontractors are now directly responsible for compliance with HIPAA, not just responsible for signing a BAA. They will now be subject to OCR HIPAA compliance audits, just as CEs are, and should be undertaking risk assessments in order to ensure that their privacy and security compliance is up to snuff.  BAs have always been responsible for compliance under their BAAs, but some BAs, particularly smaller ones, probably have not focused enough on HIPAA compliance. Now they will have to because they are fully accountable -- they can be audited and fined, just like the Covered Entities.

The definition of BA is expanded

Business Associates are now defined to include a broader array of contractors that store and touch PHI -- including, for example, document storage companies and other contractors that "maintain" PHI, even if they do not actually view the information in their possession.

Use of Protected Health Information for marketing is limited

Covered Entities may not send marketing materials to patients on behalf of third parties if the communication is paid for by a third party whose products or services are being promoted. Several exceptions to this rule that applied in the past, whether or not the communication was funded by a third party (i.e., communications about (i) treatment, (ii) a health-related product provided by, or covered by a benefit or insurance plan issued by, the CE making the communication, or (iii) case management, care coordination or treatment alternatives) now apply only if the communication is funded internally by the CE.

Sale of PHI is limited

PHI may not be sold, licensed, or accessed in exchange for giving anything of value -- with a handful of exceptions. PHI may be disclosed in exchange for remuneration  (i) for public health purposes, (ii) for research, so long as payment is limited to the sending CE's costs, (iii) for treatment and payment, (iv) in connection with a sale or merger of the CE, (v) to or by a BA where the CE is just paying for the BA's services, (vi) to a patient who requests access to his or her own PHI, (vii) as required by law or (viii) as otherwise permitted under HIPAA where the remuneration covers costs only.

Use of PHI for fundraising is limited

On the one hand, nonprofit health care providers can target their fundraising efforts by using PHI that clues them in to what services were provided to which patients. On the other hand, each contact must allow a patient to opt out of all future fundraising communications.

Use of PHI for research is simplified

A single consent for release of PHI in connection with research study participation can now cover future studies done using the same data. In addition, clinical trial consents can now be combined with retrospective data review consents. (If you like being a lab rat, you won't have to sign as many data release forms.)

Use of genetic information for insurance underwriting purposes is banned

As required by GINA, genetic information may not be used for health insurance underwriting purposes. Thus, genetic information is now included in the definition of PHI. In addition, the underwriting ban is carried forward into regulation. However, genetic information may be used in long term care insurance underwriting decisions.

Patients may access PHI electronically

Upon request, a CE must provide a patient or an authorized representative a copy of a requested medical record, in the format requested, within 30 days.  If, or some reason, the 30-day timeframe is unworkable, the regs give CEs an additional 30 days.  If the CE cannot produce the records in the format requested by the patient, the parties need to get together and agree on a workable compromise solution. Previously, the patient had to make do with whatever format the  CE produced (often a paper printout), and had to allow 60 days plus 30 days for tough situations.  So there is some progress here.  Of course, a CE that is in compliance with the Meaningful Use regulations for EHR implementation is required, in Stage 2, to provide records to patients electronically within just a few days (though the Society for Participatory Medicine called for immediate patient access to EHR information - as soon as a clinician who did not author the entry can see it, the patient should be able to see it).

Patients may restrict disclosure of some information

If a patient pays for a particular service out of pocket, he or she may require that the provider not disclose any information about the service to the patient's health plan. Providers are required to advise patients about potential inferences that payors can make based on other services provided (e.g., "If you pay for lab test A out of pocket, but have us bill your health plan for tests B, C, D and E, your health plan will be able to figure out that you had test A done as well.")  If a visit that a patient pays for out of pocket will generate a prescription, the patient would be well-advised to ask that prescriptions be written by hand, so that no electronic notice of the prescription will get to the health plan. In a perfect world, sharing of treatment information with one's health plan would not be problematic, but some patients have legitimate concerns about the use and misuse of such information by employers, health insurers, life insurers and others.

The HIPAA Omnibus Rule was published on January 25, 2013.  It is effective 60 days later, and (with certain exceptions) regulated parties must come into compliance within 180 days after that, or September 23.

What do you think?

What do you think? Was this rule worth the wait? Are your pet peeves addressed by the final rule? Let us know in the comments.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

This post first appeared on, the blog of the Society for Participatory MedicineDavid Harlow chairs the Society's Public Policy Committee.

January 23, 2013

HIPAA Omnibus Rule - Google+ Hangout

For a first look at the HIPAA omnibus rule, I had a Google+ Hangout on Air with Brian Ahier and Deven McGraw this afternoon. We talked through the changes made to the privacy and security rules, the breach notification rule, the enforcement rule, and the harmonization of HIPAA and GINA. The video runs about an hour, and we got some pretty good reviews live and in the hours since this ran. Check out the HIPAA discussion on Google+ concurrent with and immediately after the hangout, too.

HIPAA Omnibus Rule Hangout


One viewer, Ben Watts, posted his notes almost immediately after we were through, on his blog EMRSoap. (Thank you, Ben!) Here's an excerpt from his post:

EMRSoap Write-up of the HIPAA Hangout by Industry Leaders

Below are our notes from the discussion – they’re not specifically tied to the individual speaker.

  • Most of the final rule was the same.  Except for the Marketing provision – that was quite a bit different than the proposed rule.
  • We’re still not done. Even though this is the ‘Omnibus rule’, there’s still 2 new rules that need to come out.
  • Bus related puns abound.
  • What do providers need to watch out for?  One thing: Primary liability of BA’s and subcontractors.  You really can’t sub out responsibility entirely.
  • There’s a community of small providers and Business Assocaites who aren’t aware of the reality of HIPAA and haven’t completed Risk Assessments (and more).  They’re just not familiar enough with their obligations and the HIPAA environment.  They’ll have till September 23rd to comply with this rule.
  • Date by which new BAA and NPP need to be entered into is a year after that September 23rd.  The agency will be issuing further guidelines throughout this timeline.
  • The government is committed to more audits and fines.  The fines they collect will fund the audit process.  We’re going to have audits of Business Associates and their subcontractors, not just Covered Entities.
  • Enforcement is moving to Penalty base, and away from voluntary compliance.
  • But not entirely, says Devin.  Rule was pretty clear – informal resolution and voluntary compliance would still play a factor in enforcement.  HHS will have discretion.
  • HHS has been going after the smaller groups as well, even without the Omnibus rule.
  • Environment of ‘Hands off’ has led to people being careless.  Behavior has been beyond what’s acceptable for building up trust in EMRs.
  • Why should patients be excited?  People most bugged by marketing – that’ll be limited by HIPAA Omnibus rule.  Also, breach notification provision much more clear means that institution are going to pay a lot more attention to encryption.
  • Discussion on the ‘conduit’ exemption – very narrow exemption.  Really only works for courier-like firms (ISP and postal services, for example).  Only making sense in cases of random or intermittent access to ePHI.  As opposed to entities that store data – would be a BA, even if the intention is to not to look at it.
  • Failing to sign a BAA doesn’t exempt you from BA status.
  • Researchers are now permitted to give people conditional treatment if they agree to research.
  • Now allowed to have authorizes for future research as long as the description is rich enough to give patient a general idea of the types of research that’ll be enacted.  No need for individual study approval.  Requirement is somewhere in between ‘all research’ and ‘one study’.
  • Patients can request records in forms that makes sense for them.  If you can’t technically do it in the form (5.5 in floppy, for example?) then the provider will have to reach an agreement with the patient.
  • Is it possible to segment your record, and keep some info off of your Health record?  Yes.  It’ll probably be hard for a fair amount of providers.  If a patients says ‘don’t send this to my payer’, you can’t do it.
  • Patient right to get data trumps security requirement.  If the patient is notified of risks of transmitting ePHI over email, then the ePHI can be transmitted to the patient.  Requirement of alerting patients is fairly low.  Bi-lateral communication is a different realm, however.
  • Changes to enforcement rule – bottom line is there’s a max of 1.5 million per violation.  Likelihood of greater fines in the future?  Maybe.  Largest fine to date was against a bankrupt company.
  • There’s more breaches reported…not necessarily more breaches in total.  Now, with our digital health system, we know who’s seen what.  We’ll see more breaches in total, but that’s not necessarily a bad thing.
  • BA’s right to use data is explicitly limited.  BA’s are directly liability, but they’re still subordinate to Covered Entities.
  • Breach Notification – we’ve moved away from the ‘harm standard’ – moved away from the subjective value of the underlying data.  We’ve moved to an examination of ‘what happened in this instance?’  Presumption being if we don’t know what happened, then there was  a breach.  Notion of ‘if it’s info about your big toe then it’s not harmful’ is gone, as is underlying subjective value judgment of data.  Faxing info to Doctor X instead of Doctor Y, maybe less of a big deal.  As long as that mistake is handled appropriately, it’s not that big of a deal.  If there’s greater than a low probability that the ePHI was breached, then there needs to be a notification.  There’s a 4 pronged set of standards that need to be examined in that investigation to determine if there was a breach.   But if you know that there was a breach, you don’t need to do an investigation.
  • Everybody: gotta revise your Notice of Privacy Practices.  Remember that you have until September.

We enjoyed using the Google+ Hangout on Air platform, though it was a little bumpy as it was our first time. We are considering putting together future hangouts on the HIPAA omnibus rule, and would welcome your input regarding which issues warrant a closer look.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting


December 12, 2012

Can Patient-Centered Care Reduce Hospital Readmissions?

A new Press Ganey white paper highlights an association between HCAHPS performance -- patient experience scores -- and lower rates of readmission. (Performance Insights - The Relationship Between HCAHPS Performance and Readmission Penalties.)

With Medicare payment penalties for excess readmissions now in effect, reducing readmissions has become a top priority for hospitals and other stakeholders. The Centers for Medicare and Medicaid Services (CMS) publicly reports risk-adjusted readmission rates for heart attack, heart failure and pneumonia. The data show significant variation in performance across hospitals, indicating that some hospitals are more successful than others at addressing the causes of readmissions. A new study by Press Ganey suggests that performance on readmission metrics is associated with performance on patient experience of care measures.

This study is an interesting look at the relationship between two value-based purchasing programs used by CMS to calculate Medicare payments to hospitals -- the Hospital Value-Based Purchasing Program and the Readmissions Reduction Program.

The key learning from this study is this:  

Effective communications is fundamental to ensuring that patients become engaged in their care and, consequently, better equipped to follow discharge instructions and self-monitor after leaving the acute care setting.

Coupled with patient-centered practices supported by past studies which have shown that "the single most effective strategy for improving patient satisfaction is purposeful hourly rounding by nursing staff," a "sustainable discharge" strategy is highlighted as a key predictor of avoided readmissions.

A sustainable discharge strategy comprises identifying and addressing patient-specific factors that could lead to readmission, strategic patient education, developing a patient-focused after-care plan and ensuring a smooth transition to a post-acute setting. Tactics that drive success in achieving sustainable discharges include: dedicated patient transition coaches, proactive planning for non-medical barrier to treatment adherence, post-discharge phone calls, scheduled follow-up care, and use of cross-setting discharge planning tools and teams.

In other words, a patient-centered discharge planning process, built on clear communications with the patient, is likely to reduce readmissions.

With more than 20% of Medicare beneficiaries discharged from an acute care hospital being readmitted within 30 days, at a cost of over $15 billion a year, and with over 2000 hospitals looking at readmissions reduction program Medicare payment penalties in FFY 2013 totaling $280 million, this is a significant issue -- but one where a potential solution is clearly at hand.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

December 07, 2012

Data Breach Analysis 2009-2012 - HITECH Experience Reviewed by HITRUST

In the first three years that the HITECH data breach notification rules have been in effect (September 2009 - September 2012), almost 500 breaches affecting more than 500 individuals have been reported.  As of this spring, over 57,000 data breaches affecting fewer than 500 individuals have been reported.

Courtesy of HITRUST (Health IT Trust Alliance)

The key takeaways:

  • Most data breaches are accounted for by theft or loss (2/3 of breaches, over 4/5 of breached records); the balance are accounted for by unauthorized access or disclosure, incorrect mailing, hacking and improper disposal 
  • Hacks are on the rise, and given the likely underreporting of all breaches and the ease with which theft and loss of devices and records are detected, chances are that security improvement efforts are not being targeted appropriately
  • The weak link for most data breaches are laptops, paper records and mobile media (3/4 of breaches, 2/3 of records); the balance are from desktop computers, network servers and system applications
  • The trend in number of data breaches over time is encouraging, but there have been upticks in late 2011 and early 2012 
  • Hospitals, health plans and business associates are getting better at securing their data over time; physician practices are getting a little worse, particularly in smaller practice which, since they are often linked to community hospital EHRs, expose the hospitals as well
  • Government sector breaches account for a large percentage of the whole (check out the OIG report on CMS data breaches under HITECH for a glimpse of one sliver of this problem)

The full report is worth reading.  Also: see more from HealthBlawg on HIPAA, HITECH and data breaches.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

December 05, 2012

David Harlow featured in Becker's ASC Review: 6 Steps for ASCs to Participate in New Payment Models

Here's an excerpt from a piece in Becker's ASC Review quoting me on the effect ACO development and other health reform environmental changes are likely to have on ambulatory surgery centers, and how ASCs can position themsleves for future success

Here are six steps for surgery centers to participate in new payment models.

1. Figure out how to participate in ACOs productively. ACOs are becoming more common in different healthcare markets across the country and ambulatory surgery centers need to figure out how they can most productively participate. First and foremost, they should leverage the relationships they have with hospitals and physician groups for a seat at the table during the ACO formation.

"There is clearly a place for physician led ACOs because we are talking about developing systems to control costs that are ultimately directed by physician order," says David Harlow, principal at The Harlow Group, a healthcare law and consulting firm. "There is an opportunity for physician-led ASCs to participate in ACOs and benefit from the payment incentives that are included in the program simply because of the ability to improve quality and reduce costs over a baseline period, and that could fall to the ASC's bottom line."

Integration will be easier if the ACO is physician-led. Hospital-led ACOs may focus on filling hospital ORs; however, surgery centers also have partnership options if the ACO is hospital-led.

Follow the link to read about the other five.

For related information, check out the 2013 Medicare rate regulation for ASCs and my recent post on accountable care organizations and health reform after the election.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting


November 21, 2012

Engage With Grace

As patients, as family members, as friends, as health care providers, we have all faced end-of-life issues at one time or another, and we will face them again. And again. 

Having been through this process twice in the past year, I can only repeat that it is important to have The Talk, to help ensure that your family members' and friends' wishes about end-of-life care are clear, are documented and, as a result, are followed. If it helps to get the conversation going, use the Five Questions in the slide at the end of this post. 

Download your copies of the Massachusetts health care proxy form or other states' proxy or living will forms -- and add specific instructions about nutrition, hydration, and anything else that is important to you so that everything is crystal clear.  Having the conversation is a starting point; we all need to follow through and make sure that our loved ones' wishes are documented, placed in medical records, discussed with physicians and other caregivers, and honored.

And with that I turn it over to @engagewithgrace for #blogrally12 (the latest edition from a group of us kickstarted by Alexandra Drane, Matthew Holt and Paul Levy.) If you blog, consider copying the rest of this post, and putting it up now through the end of Thanksgiving weekend. 

- O -

One of our favorite things we ever heard Steve Jobs say is… ‘If you live each day as if it was your last, someday you'll most certainly be right.’

We love it for three reasons:

1) It reminds all of us that living with intention is one of the most important things we can do.
2) It reminds all of us that one day will be our last.
3) It’s a great example of how Steve Jobs just made most things (even things about death – even things he was quoting) sound better.

Most of us do pretty well with the living with intention part – but the dying thing? Not so much.

And maybe that doesn’t bother us so much as individuals because heck, we’re not going to die anyway!! That’s one of those things that happens to other people….

Then one day it does – happen to someone else. But it’s someone that we love. And everything about our perspective on end of life changes.

If you haven’t personally had the experience of seeing or helping a loved one navigate the incredible complexities of terminal illness, then just ask someone who has. Chances are nearly 3 out of 4 of those stories will be bad ones – involving actions and decisions that were at odds with that person’s values. And the worst part about it? Most of this mess is unintentional – no one is deliberately trying to make anyone else suffer – it’s just that few of us are taking the time to figure out our own preferences for what we’d like when our time is near, making sure those preferences are known, and appointing someone to advocate on our behalf.

Goodness, you might be wondering, just what are we getting at and why are we keeping you from stretching out on the couch preparing your belly for onslaught?

Thanksgiving is a time for gathering, for communing, and for thinking hard together with friends and family about the things that matter. Here’s the crazy thing - in the wake of one of the most intense political seasons in recent history, one of the safest topics to debate around the table this year might just be that one last taboo: end of life planning. And you know what? It’s also one of the most important.

Here’s one debate nobody wants to have – deciding on behalf of a loved one how to handle tough decisions at the end of their life. And there is no greater gift you can give your loved ones than saving them from that agony. So let’s take that off the table right now, this weekend. Know what you want at the end of your life; know the preferences of your loved ones. Print out this one slide with just these five questions on it.

Have the conversation with your family. Now. Not a year from now, not when you or a loved one are diagnosed with something, not at the bedside of a mother or a father or a sibling or a life-long partner…but NOW. Have it this Thanksgiving when you are gathered together as a family, with your loved ones. Why? Because now is when it matters. This is the conversation to have when you don’t need to have it. And, believe it or not, when it’s a hypothetical conversation – you might even find it fascinating. We find sharing almost everything else about ourselves fascinating – why not this, too? And then, one day, when the real stuff happens? You’ll be ready.

Doing end of life better is important for all of us. And the good news is that for all the squeamishness we think people have around this issue, the tide is changing, and more and more people are realizing that as a country dedicated to living with great intention – we need to apply that same sense of purpose and honor to how we die.

One day, Rosa Parks refused to move her seat on a bus in Montgomery County, Alabama. Others had before. Why was this day different? Because her story tapped into a million other stories that together sparked a revolution that changed the course of history.

Each of us has a story – it has a beginning, a middle, and an end. We work so hard to design a beautiful life – spend the time to design a beautiful end, too. Know the answers to just these five questions for yourself, and for your loved ones. Commit to advocating for each other. Then pass it on. Let’s start a revolution.

Engage with Grace.

Engage With Grace

David Harlow
The Harlow Group LLC
Health Care Law and Consulting