Health Reform: What's a Provider to Do?

What should health care providers be doing in anticipation of the likely passage of an historic health reform bill?  There are at least three possibilities: (1) Lament the passing of the good old days and oppose it; (2) Insist that it isn't good enough because it is lacking some key provision (tort reform; SGR replacement; robust public option); or (3) Embrace it, because incrementalism works, and prepare for what's coming down the pike.

As you may guess, I would recommend taking the third approach, which requires focused preparation for the road that lies ahead.  So, what is a provider to do?

In the future, there will be pilots, demonstrations and mainstream programs trying to do more with less: providing health insurance and health care services to more people, with effectively fewer dollars per capita.  Payors -- be they public sector or private sector -- will therefore be squeezing providers.  The House and Senate versions of the health reform bill are equally clear on this point.  Providers therefore need to be proactive in preparing themselves to provide high-quality health care services at competitive rates.Instead of simply resigning themselves to negotiating percentage discounts off of current rates of payment, all providers need to be prepared to negotiate global payments, pay for performance deals, quality incentives and more -- as some forward-thinking provider organizations have been doing for some years now.

In order to be able to negotiate these terms effectively, providers must have a good handle on their own cost structure, and must begin to work at developing broader alliances of providers so as to be better positioned for negotiations with public and private payors.

In my years of experience in working with health care providers at that moment -- the point in time when folks with otherwise disparate interests realize the tremendous value of working together effectively in order to simultaneously promote better clinical outcomes for patients and better financial outcomes for providers -- I am always heartened by the epiphanies of the providers who realize that a new approach, or a new structure, can take them beyond their historical, positional, sometimes defensive attitudes, and into a future that they are able to shape and help define.

I look forward to working with more providers and provider organizations at this critical juncture so that they can be prepared for the future that will soon be upon us, and so that they can have a hand in crafting that future.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

The Joint Commission's latest on medical staff bylaws, six years on

After being put on ice last year, the Joint Commission's standard regarding medical staff bylaws, the medical executive committee (MEC) of a hospital's medical staff, and associated rules and regulations and policies (MS.01.01.01, formerly known as MS.1.20) is moving forward.  The revised draft of MS.01.01.01 was released for a six-week comment period ("field review") yesterday.

The key issues with the prior draft -- especially the need to include all substantive provisions of medical staff governing documents in the medical staff bylaws (see discussion in the linked post from last year) -- have been addressed in the new draft.  The question remains whether the revisions are sufficient.  While there is acknowledgment that not everything needs to be in the bylaws, plenty does, and the line of demarcation is not crystal clear.  Check out one of the FAQs (#5):

All “requirements” for EPs 12-36 must now be in the bylaws. For those EPs12-36 that require a process, the medical staff bylaws must include at a minimum the basic steps, as determined by the organized medical staff and approved by the governing body. The “associated details” for EPs 12-36 may reside in the medical staff bylaws, rules and regulations, or polices. The organized medical staff adopts what constitutes the associated details, where they reside, and whether their adoption can be delegated to the medical executive committee. EP 14 refers to the process for privileging and reprivileging licensed independent practitioners. Does this mean that all of the associated details to obtain privileges, such as the need to have successfully performed “x” number of laparoscopic cholecystectomies, must now be in the bylaws? Exactly what details or criteria must be in the bylaws and what should be in other documents?

Each hospital’s medical staff and governing body must decide what degree of detail needs to be in the bylaws—the critical issue being what must be jointly approved by the governing body and the organized medical staff. For example, a medical staff and governing body may wish to set a critical level of requirements that must be listed in the bylaws (with respect to credentialing or privileging)—such as board certification, valid license, and National Practitioner Data Bank query. As for the number of times a certain procedure must be performed before privileges are granted (for example, the number of times a laparoscopic procedure is performed), this requirement would be the type that might better be met by an individual department (e.g., surgery, family practice, etc.) and thus kept in rules and regulations or other documents—but this is up to each organization’s medical staff and governing body. With respect to a practitioner performing a new procedure (e.g., laparoscopic bariatric surgery), the bylaws could set a “bright line” that needs to be met—for example, that the physician be trained in a recognized program; that the physician successfully complete the program; that recommendations from peers be sent to the hospital; and that the physician be competent. The more specific details, such as the number of procedures to be performed, might then be determined by the particular department and placed in rules, regulations, or policies. Again, this is up to each medical staff and governing body.

Thus, while there are some improvements here, there is still room for further improvement.  Check out the full draft, the FAQs and the call for comment on MS.01.01.01 at the JC website (or here: draft MS.01.01.01, draft definitions, FAQs).  Given the statement of support for this draft posted on the Joint Commission's website, some observers believe that adoption as written is likely.  Time to get ready to work on hospital medical staff bylaws, and to get creative about the MEC - medical staff balance of power.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

Patient control over patient data in electronic health records: A work in progress

Over the past six months, there has been a growing (and certainly more visible) patient-centered movement fomented in large part by some of the health care digerati / blogerati / twitterati I know -- revolving around patient control over electronic health records. 

Dave DeBronkart (@ePatientDave) -- not the most circumspect guy you'll ever meet -- is very straightforward about it. He says: "Gimme My Damn Data."  (See my earlier take, with links to his post on his Google Health experience.)  Gilles Frydman (@gfry)and others were responsible for putting together the "Declaration of Health Data Rights" (the link is to my post on the subject, with links to related resources); while that title is more sedate, Gilles is an equally vocal advocate for patient control of data.  In fact, he and Dave are two of the key drivers of e-patients.net and the Journal of Participatory Medicine.  Mark Scrimshire (@ekivemark) -- HealthCamp's "chief troublemaker," with whom I had the pleasure of organizing HealthCamp Boston earlier this year -- blogged on the subject of patient control of patient data a couple days ago, as he pulled together some recent posts by Gilles and Jen McCabe (@jensmccabe) which relate to part of this past Sunday's #hcsm tweetchat with Steven Daviss (@HITshrink) and others (scroll down to 8 pm or so to read about licensing of patient data).  Please follow all of these links to catch yourself up on the conversation, if you haven't been following along.

Mark suggests in his recent post that each of us should offer an emendation to the standard HIPAA Notice of Privacy Practices, directing our health care providers to upload our health data into our PHR of choice, and has called for some editing assistance.

My gut level reaction to Mark's suggestion is to agree that it makes sense and to dive into the editing.  Unfortunately, making sense is not a prerequisite (and may even be an impediment) to adoption of suggestions like this.

In my post on the Declaration of Health Rights (linked to above), I wrote that one key approach to ensuring that there be more widespread sharing of data would be for participatory-medicine-minded health care providers to revise their Notices of Privacy Practices (NPPs) (as they will have to by February, thanks to the Son of HIPAA rules under the HITECH Act effective then).  One reason for my suggestion that the change come from the provider side is very pragmatic.  Privacy advocates have promoted a number of emendations to the standard NPP language used by health care providers, but my educated guess is that virtually all health care providers collecting signed NPPs are completely incapable of managing such "exceptions."  Are they required to do so?  Yes.  Can we reasonably expect that they will?  No.  So the carefully-drafted amendments are, at best, sitting in non-digitized storage somewhere, collecting dust.

In the #hcflower conversation in the past week or so on twitter and elsewhere, prompted by a guest post and subsequent discussion on Howard Luks' (@hjluks) blog, a core of health care providers and HIT cognoscenti have begun wrestling with the technical details that would have to be working in the background to enable the instant availability of patient data to any relevant clinician or health care facility.  Because of the difficulties inherent in this exercise, Mark's proposed NPP amendment addresses the existing EHR/PHR architecture; nevertheless, it seems to me that it is probably premature -- even if acknowledged and honored by health care providers, the data shared would, more likely than not, be of the quality experienced by ePatientDave, leading him to exclaim "Gimme My Damn Data," and would very likely not be provided in real time (leading, of course, to the potential of excess testing and inappropriate treatment).

There are other related issues raised in the #hcsm tweetchat, but those are perhaps best reserved for another day.

So, what do you think? 

• Are patients now ready to insist on having their health care providers upload their health information to PHR systems such as Google Health or Microsoft HealthVault?  How can patients ensure that these data be transportable from a tethered PHR to a freestanding one if and when they change providers or insurers?
  
• Are PHR platforms and health care providers prepared (and equipped) to act on these requests?  My working assumption is that the answer at the moment is no, since there are some technical issues to overcome.  One approach to the technical issues relating to real-time queries from one provider to another's EHR is outlined here.  It is unclear to me what would be involved (in time and money) in getting from here to there.  (Technical congnoscenti: help me out here.)
  
• What other questions need to be asked and answered in order to move this further along?

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

Ten Years After "To Err Is Human"

Ten Years After sang "I'd Love to Change the World" more than ten years ago. 

Sadly, ten years after the seminal IOM report on medical errors -- To Err Is Human -- was released, we should all be singing that song, because that wake-up call has gone largely unheeded; or perhaps a better way of putting it would be to say that efforts to address the issues raised by the report have not been uniformly successful.  The Interdisciplinary Nursing Quality Research Initiative released the following observations today:

In 1999, the Institute of Medicine’s (IOM) groundbreaking “To Err Is Human” report found that as many as 98,000 people die each year from medical errors in hospitals, making medical errors a more common cause of death than motor vehicle accidents, breast cancer, or AIDS. The report estimated that these errors cost the country nearly $38 billion each year.

Ten years later, medical errors are still a widespread problem in the American health system.  More than 1.5 million Americans are sickened, injured, or killed by medication errors each year.  1.7 million Americans battle illnesses due to hospital acquired infections, 99,000 of whom die.

INQRI posted several perspectives on the topic on its blog, including an interview with BIDMC CEO and blogger Paul Levy.  Like many health care organizations across the country, BIDMC has worked to improve quality and address medical errors over the years and, in fact, was recently recognized by the Leapfrog Group as one of 45 "Leapfrog Top Hospitals" nationwide.

The information from INQRI shows that medical error morbidity and mortality is on the rise, not on the decline, despite the attention paid to this vexing issue in the decade since "To Err Is Human." 

The question remains: How can these quality issues be addressed in the context of current health reform efforts?  Where are the "best practices" that all health care providers can learn from?  Are there best practices that are easily transferable from setting to setting?  Much has been said about "bending the cost curve," but more needs to be said -- and, more importantly, done -- about taking concrete steps to improve quality by aligning incentives properly.  Payment system reform, creating new incentives for efficient and effective care delivery, ought to be closer than it is to front and center in the current health care debate.  In addition, more attention must be paid to aligning the incentives of the various payers in the health care delivery system.  For example, employment of physicians seems to be the way of the future, though some folks trying to move large systems in that direction have been burned (Exhibit A: Alegent).  Integrated delivery systems with employed physicians seem to be able to do the best at aligning incentives, though there are certainly some counterexamples out there (including BIDMC).

This is an issue that must be addressed by lawmakers, payors and the delivery system, working together -- or at least aiming in the same direction.  Thus far, we have seen only incremental progress, at best.  

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

Health Care Social Media Legal Issues and Strategy Webinar

Today's HIPAA and Your Social Media Strategy webinar, which I presented together with Jamie Verkamp of (e)Merge, was a success.  We had a good turnout, interesting questions and engaging discussion.  Here is a version of the slide deck I used today, complete with links to other useful resources here at HealthBlawg and elsewhere on the web.

Social Media In Health Care Legal Issues

View more presentations from DavidHarlow.

Jamie and I will be repeating this webinar in two weeks, on December 2 , at 1:00 p.m. Eastern, 12:00 Central.  If you missed it the first time around, or would like to recommend it to a colleague, you can register here.

If you have any questions or comments on the subject, we'd like to hear from you.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

Son of HIPAA Breach Notification Rules and Business Associate Requirements: Who's Ready?

HIMMS Analytics surveyed about 250 hospital and business associate representatives, and came up with some figures to back up what we all knew in our hearts:  Most hospitals are gearing up for compliance with the HITECH Act / Son of HIPAA data security and breach notification requirements, but many experience data breaches -- about half of hospitals surveyed in the past year -- and business associates lag behind hospital in awareness and preparedness for compliance with new business associate requirements.

Check out the full report on the HITECH Act's impact on privacy and security, and check out recent HealthBlawg posts on HITECH Act and Son of HIPAA issues here: HITECH Act security breach rules now effective; Comments on HITECH Act breach notification rule from Capitol Hill; and Son of HIPAA Breach Notification Rules. 

Anyone who needs to be convinced that attention must be paid to this issue need only check out the cautionary tale of the Virginia prescription record security breach or any of the many breaches detailed here or here.

The survey provides a handful of key take-away points:

• Risk assessments are common practice but alone do not mitigate breach risks.
• Large hospitals experience the most data breaches and are at the greatest risk for future incidents.
• Business associates are generally unprepared to meet the new data breach related obligations brought on by the HITECH Act.
• Health care organizations are prepared to sanction business associates that don’t comply with the regulations outlined in the HITECH Act.
• Inter-departmental disconnects between IT and Compliance on data breach policies and procedures leave hospitals at risk.

Bottom line: most health care provider organizations and most business associates (vendor organizations) have a great deal of work to do, not only in terms of conducting a through review of policies and procedures so as to come up with a gap analysis, but also in terms of implementing policies and procedures to fill the gaps identified, and to conduct appropriate trainings at all levels of the organization, including clear delineation of lines of communication regarding data security matters.

The Harlow Group network stands ready to assist provider and vendor organizations in preparing themselves for full compliance with the new HIPAA requirements promulgated in the HITECH Act and its regulations.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

Social Media Session at Oklahoma Hospital Association Annual Meeting

Yesterday I had the pleasure of sharing the podium -- at least virtually -- at the Oklahoma Hospital Association's annual meeting with two leaders in the health care social media sphere, Ed Bennett of the University of Maryland Medical System and Lee Aase of the Mayo Clinic, for a program on health care social media presented by the Public Relations and Marketing Society of the OHA.  Our host, Brenda Finkle, and others, livetweeted the session.  Here for your perusal are our presentations.

Presentation at the Oklahoma Hospital Association

View more presentations from Ed Bennett.

Oklahoma Hospital Association

View more documents from Lee Aase.

David Harlow on Social Media In Health Care Legal Issues - OHA

View more presentations from DavidHarlow.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

Son of HIPAA Breach Notification Rules

Health care providers: If your patient records aren't already stored digitally, they are likely to be digitized soon. There is a tremendous push by the federal government -- as well as by some private payors and self-insured employers -- to get all health care providers wired in the near future, in order to better coordinate patient care, improve outcomes, and "bend the cost curve" all at the same time. There are some financial incentives in play to achieving "meaningful use" of "certified" EHR systems; those terms are to be defined in federal regulations later this year, but the outlines of those definitions are already pretty clear.

Once all that patient data -- or as it is known in HIPAA-speak, protected health information (PHI) -- is stored electronically, it becomes exposed to potential data breaches. In late September, two sets of federal regulations took effect that address the way in which PHI should be maintained, and the steps that should be taken to prevent a data breach and to notify the government and affected individuals in the event there is a data breach. Compliance with these rules -- issued under authority of the HITECH Act by the US Department of Health and Human Services (HHS) with respect to health care providers, and by the Federal Trade Commission (FTC) with respect to EHR vendors and other similar third parties -- requires affected practices and businesses to assess and update their data privacy and security policies and procedures, as well as train all affected staff accordingly.

The exposure in case of violation is significant, both in terms of fines and penalties and in terms of bad publicity-certain data breaches require notice to potentially affected individuals via the general media in addition to notices required to be fled with the regulators. The new rules -- I call them Son of HIPAA -- are layered on top of existing HIPAA privacy and security rules, the FTC's Red Flags Rule regarding identity theft protections to be put in place by any "creditor" (which includes health care providers not paid in full at the time of service -- though the effective date of Red Flags Rule is now delayed yet again), and state privacy rules. While HHS and FTC took some pains to harmonize the new rules so that patients will not be bombarded with multiple data breach notifications about the same incident, for example, the other applicable rules out there have not been harmonized.

The key concept in the new breach notification rules is that encryption of patient data will eliminate the need to notify patients and the federal regulators in case of an inappropriate release of data. Such a release, if the data is encrypted (i.e., unusable, unreadable, or indecipherable), is not considered a breach. Encryption is not required, though, and each affected entity must engage in a cost-benefit analysis before deciding whether to encrypt all affected data.

Another important aspect of the rule is the concept of harm-the regulators decided that not every data breach should trigger all of the notice requirements, just breaches that "pose a significant risk of financial, reputational, or other harm to the individual." For example, if an employee of a health care provider accesses a patient record inappropriately, but immediately realizes his or her mistake, and exits the record quickly and does not retain any PHI, that is not a reportable data breach.

Finally, "business associates" under HIPAA are now required to implement policies and procedures to maintain privacy and security of PHI, parallel to those that have been required of "covered entities" under HIPAA since the beginning. All business associate agreements and notice of privacy practices (NPPs) will have to be updated to account for the new requirements before February. Health care providers that wish to distinguish themselves should consider revising their NPPs to highlight the ease with which they will make copies of records available to patients. This is a bone of contention for many patients, and ensuring that patients' rights to their records are easily exercised could be a way to build goodwill among patients and potential patients.

This is an extremely brief introduction to a very involved set of regulations. My hope is that you now have a sense of how important it is to be sure that your operations are fully compliant with the regulatory requirements before full enforcement and random field audits begin in February 2010.

A version of this post was published on HCPlive.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

David Harlow quoted in "Social Networking 101 for Physicians" piece in Mass Medical Law Report

More and more physicians are exploring the use of social media in their practices, and the Massachusetts Medical Law report ran a piece on Social Networking 101 for Physicians recently, quoting Kevin Pho of KevinMD, Jim Tobin of Ignite Health (regards to Fabio aka @skypen!) and me, among others.  As I posted recently, I will be giving a free webinar on the subject of regulatory issues around social media in health care on November 18, together with Jamie Verkamp of (e)Merge, who will speak to other aspects of planning a social media presence.  In addition to working with Jamie, whose agency focuses on physician practices, I am also working with agencies focused on hospital social media planning.  If this piques your interest, please register for the social media webinar and/or get in touch to discuss strategies for your organization and the regulatory hurdles you need to be aware of in the planning process.  FYI, my slides will be posted after the webinar.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

HIPAA and your social media strategy - Webinar November 18, 2009

Physicians, practice managers and other health care providers and managers considering a foray into social media, you are invited to join The Harlow Group and (e)Merge for a webinar discussing this timely and important topic.  Here is the (e)Merge announcement:

HIPAA and Your Social Media Strategy

Health care has taken notice of social media as a way to connect and interact with patients. With the escalating use by physicians, medical professionals, hospitals and clinics, concerns are growing as to how HIPAA regulations affect your online presence. Join Jamie Verkamp of (e)Merge as we sort out the confusion with leading health care attorney David Harlow, Principal of The Harlow Group.  We'll answer your questions and share valuable tips on how your practice can develop an effective social media and online strategy, while remaining compliant with HIPAA and other applicable rules.

Join us for a complimentary webinar sponsored by (e)Merge and The Harlow Group on Wednesday, November 18th at 1pm Eastern. Please feel free to share this invitation with others who you think may benefit from this webinar.

Please feel free to forward questions for Jamie or me in advance of the webinar so that we may be able to address them in our presentations.  We look forward to being with you virtually on the 18th.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting