UnitedHealthcare: Stranger than fiction

Uninsurance insurance.  Yep, that's the latest arrow in the quiver of health care insurance giant UnitedHealthcare.  As it loses covered lives thanks to layoffs of folks insured through employer-sponsored plans, UHC is looking to pick up a few bucks by selling insurance to folks who are currently insured but fear they might not be at some time in the future.  By paying 20% of what their health insurance premiums would be, folks can lock in access to health insurance in the future having to worry about pesky details like pre-existing conditions and personal risk profiles that would pump up premiums in non-community-rated jurisdictions.

At least two fellow Health Wonks have weighed in already: Bob Laszewski lays bare the folly in this endeavor in a Julie Rovner piece on NPR, and Joe Paduda shakes his head in wonderment at Managed Care Matters. 

Here's the thing: between COBRA (which lets you buy continuation coverage post-employment at essentially the same rate -- yes it's expensive, but it's no more expensive than what UHC is offering to guarantee access to), and the right under HIPAA to buy insurance individually or through a new group plan even after a gap in coverage if you have sufficient "creditable coverage," with no pre-existing condition exclusions, most bases are already covered.

UnitedHealthcare's move looks to be a cynical combination of fearmongering and a bet against meaningful health care reform under an Obama administration.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

Patient Safety Organization regulations finally finalized

PSO regulations under the Patient Safety and Quality Improvement Act of 2005 have finally wended their way through interminable process and have made it to publication as final regulations in today's Federal Register, effective January 19, 2009.

The introductory commentary on the rule explains that it

create[s] a voluntary system through which providers [may] share sensitive information relating to patient safety events without fear of liability, which should lead to improvements in patient safety and in the quality of patient care. The [rule reflects] an approach to the implementation of the Patient Safety Act intended to ensure adequate flexibility within the bounds of the statutory provisions and to encourage providers to participate in this voluntary program. The . . . rule emphasize[s] that this program is not federally funded and will be put into operation by the providers and PSOs that wish to participate with little direct federal involvement. However, the process for certification and listing of PSOs will be implemented and overseen by the Agency for Healthcare Research and Quality (AHRQ), while compliance with the confidentiality provisions will be investigated and enforced by the Office for Civil Rights (OCR).

AHRQ explains further:

The goals of the Patient Safety Act are to encourage the expansion of voluntary, provider-driven initiatives to improve the safety of health care; to promote rapid learning about the underlying causes of risks and harms in the delivery of health care; and to share those findings widely, thus speeding the pace of improvement. The Patient Safety Act:

• Encourages the development of Patient Safety Organizations (PSOs)—organizations that can work with clinicians and health care organizations to identify, analyze, and reduce the risks and hazards associated with patient care.

• Fosters a culture of safety by establishing strong Federal confidentiality and privilege protections for information assembled and developed by provider organizations, physicians, and other clinicians for deliberations and analyses regarding quality and safety.

• Accelerates the speed with which solutions can be identified for the risks and hazards associated with patient care by facilitating the aggregation of a sufficient number of events in a protected legal environment.

The integration of state peer review protections, HIPAA protections and PSO confidentiality rules will serve to close some gaps that existed in the patchwork system we have had to date.

All in all, this is a welcome step forward for the further development of evidence-based medicine, taking into account details of negative outcomes and using those outcomes as learning opportunities for the system as a whole without exposing individual providers to additional potential liabilities.  Through the improved protections, these regulatory changes will enable provider organizations to realize more fully the patient care improvement promise of EHRs as well.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

New Massachusetts identity theft regs overlap with HIPAA, FTC Red Flag rule

Massachusetts identity theft regs take effect January 1, 2009.  Any business that does no more than keep a copy of a personal check from a client or customer on file is subject to these new rules, which require implementation of a security program covering any "personal information" maintained in a business' files.  "Personal information" means any non-public linking of a person's name and Social Security Number, driver's license number, or financial account number (debit, credit or bank account number).  The enabling statue does not apply to state government agencies, but Gov. Patrick brought them into the big tent by executive order.

Internal and external security audits and employee training will be required.  

For those lucky enough (!) to be subject to HIPAA already, these requirements will not be that difficult to accommodate, as the new rules cover familiar territory.  However, HIPAA pre-emption analyses and compliance programs will need to be reviewed, to be sure that Massachusetts health care providers, payors and clearinghouses maintain full compliance with both federal and state rules in this area.

Both healthcare and non-healthcare-sector businesses may have to consider doing a further pre-emption analysis, looking at the recently-delayed FTC Red Flag rule.  

If HIPAA regulation and compliance efforts are an indicator, one of the thornier issues to deal with in coming into compliance with these rules will be establishing parameters for remote access of personal information.  Also, as under HIPAA, it will be interesting to see whether private enforcement efforts will be permitted under the new law. 

TOH: Colin Coleman, John Koenig.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

David Harlow quoted in Radiology Today on HIPAA compliance reviews

I spoke last month with Radiology Today on the question of HIPAA compliance, in light of increased, or at least more public, enforcement.  HIPAA security compliance audits are underway, and providers need to be aware of what to expect.  The best defense is still a good offense, which in this case means conducting an audit and beefing up policies and procedures, as necessary.  For further information, see an earlier HealthBlawg post. 

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

CVS Minute Clinics: First Massachusetts sites open this week

Minute Clinic opened for business in Massachusetts this week.

Check out the HealthBlawg archive on Minute Clinics.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

Where does HIPAA go? Wherever it wants.

The GAO just issued another assessment of HHS's and ONCHIT's progress in identifying and addressing key HIPAA and other health IT related privacy issues, and developing an overall approach to HIT privacy.  The federales -- not known for nimbleness -- have made significant progress, but have not yet fully addressed all of the issues on this front tagged by GAO in its Febuary 2007 HIT report.  In GAO-speak:

We recommended that this overall approach include (1) identifying milestones and the entity responsible for integrating the outcomes of its privacy-related initiatives, (2) ensuring that key privacy principles in HIPAA are fully addressed, and (3) addressing key challenges associated with the nationwide exchange of health information. In this regard, the department has fulfilled the first part of our recommendation, and it has taken important steps in addressing the two other parts. Nevertheless, these steps have fallen short of fully implementing our recommendation because they do not include a process for ensuring that all key privacy principles and challenges will be fully and adequately addressed. In the absence of such a process, HHS may not be effectively positioned to ensure that health IT initiatives achieve comprehensive privacy protection within a nationwide health information network.

This assessment may, in fact, be too kind.  The federales' June 2008 HIT strategic plan, though full of privacy and security objectives, strategies and compliance, has been critiqued by some observers as being somewhat out of touch with reality.  There's a lot further to go.

In related privacy news, HHS released some HIPAA FAQs this week -- two information sheets, one directed at consumers and one at providers.  No new information there, but perhaps they will be useful in eliminating basic HIPAA confusion in some quarters.  HIPAA should no longer the universal excuse for being unable to provide information to or about a patient, or to agree to a particular provision while negotiating a deal (though it's still proffered as an excuse sometimes, as is Stark and Sarbanes-Oxley, usually more because a party to a negotiation just doesn't want to agree to a particular contract term and is seeking to hang their hat on some external factor).

Moving from HIPAA privacy to HIPAA security: Another recent development is the release of a new health informatics information security management standard by the ISO.  Quoth the press release:

ISO 27799:2008 applies to health information in all its aspects – whatever form the information takes, whatever means are used to store it and whatever means are used to transmit it. The standard specifies a set of detailed controls for managing health information security and provides health information security best practice guidelines. By implementing this International Standard, healthcare organizations and other custodians of health information will be able to ensure a minimum requisite level of security that is appropriate to their size and circumstances.

It remains for someone better-versed in the technical end of things than I am to assess whether ISO compliance and HIPAA compliance could dovetail neatly in a manner that may yield more reliable protections for health information security, or whether this ISO standard will be a wrench thrown in the works of evolving HIPAA security rule compliance.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

Does the DNS security hole worry the EHR and PHR worlds?

I read a disturbing article in the NY Times last Friday about Dan Kaminsky's talk at the Black Hat conference: he's been beating the drum for a while now, warning of what sounds like a serious security hole in Domain Name Server software offering an open door to hackers of websites containing confidential information and into email (which could allow phishing for usernames and passwords for otherwise protected sites).  The technorati seem to agree that he's identified a serious problem, and it seems that not all affected parts of the internet infrastructure have applied patches or upgraded their software.

Yet another reason to be wary of assurances that if the internet is safe for banking then it's safe for health care information.  Even the latest compact on privacy doesn't count for much in the face of a technical issue of this magnitude.

Providers that have not adopted EHR systems to date could use this sort of news as an additional excuse to try to delay the inevitable.  A study published in the NEJM a couple of months ago found that the reason most often given for lack of EHR in a practice is cost.  (One commentator takes issue with that conclusion.  I've also posted in the past about issues other than cost that stand in the way of EHR adoption.)

On the PHR front, this sort of news could scare off many people from uploading their health data into Google Health or Microsoft's HealthVault.

However, the bottom line is that there is clinical value to using electronic health records and personal health records, and to the extent that providers and patients see that value, the benefit can be weighed against the cost of a potential security breach.  The cost-benefit analysis will vary from person to person, depending on a variety of factors ranging from EHR considerations like the short-term effect of EHR adoption on productivity vs. the clinical benefits that can accrue to patients, to PHR considerations like tolerance for junk mail, a snowbird's desire to keep doctors in two locations up to speed on conditions and treatments, and concerns about being denied employment due to a genetic predisposition to an occupational disease.  (I know that's supposed to be illegal, but, gee, do you think that might happen sometimes anyway?)

Would I prefer to stand firm and insist on perfect online privacy protections for financial and health care information?  Of course!  Is that practical?  Of course not! 

A few years back, my credit card information was inappropriately released by a vendor that apologized semi-profusely and paid for a year's worth of fraud monitoring and reporting.  Have I stopped using credit cards?  No.  The cost would be too great.  Am I concerned that my physician's EHR system could be hacked into?  Well, my thinking on that is that hackers with limited resources probably want to go after something with greater interest, or at least greater value in the marketplace (e.g., Britney Spears' medical records) so I am willing to continue to be part of the online system.

I am resigned to living with some of the burdens of modernity.  Having completed my own cost-benefit analysis, I am not willing to live "off the grid."  Some of you out there may be willing to do so -- you'll maintain your privacy, but you won't be able to read HealthBlawg any more.

-- David Harlow

MAeHC's second HIE goes live in Newburyport

MAeHC CEO Micky Tripathi blogged today about the launch of the MA eHealth Collaborative's latest accomplishment -- the launch of its second (of three planned) community-wide health information exchanges, this one in greater Newburyport.  Patients can opt in to the system, which allows for sharing of health data community-wide: labs, hospitals, physician offices, etc., thus promoting better coordination of care and less duplication of diagnostic testing.  In the future, there will be a patient portal as well, allowing patient access to all this information, too.

Given the strides made in the PHR market since this HIE project first got under way, I wonder whether the Google Healths and Microsoft HealthVaults of the world may obviate the need for some pieces of the infrastructure of local HIEs, bringing them more within reach financially for a broader range of providers and communities -- particularly as privacy, interoperability and chain-of-trust issues are better addressed on those platforms (see my earlier post touching on recent developments in those arenas).  There have been myriad workflow and process improvements that MAeHC has helped local providers make as they prepared for the transition to EHRs; my observation is limited to the "last mile," if you will, the connections among providers and between providers and patients.

Update 6/27/08:  Micky reacts to my PHR vs. HIE infrastructure musings here.  The article re: HealthVault linked to above piqued my curiosity on this front, but I suppose real-world implementation is a ways off.  More on the announcement here, straight from MSFT.

-- David Harlow

PHR privacy breakthrough?

Connecting for Health. a broad industry coalition organized by the Markle Foundation, announced yesterday a framework for PHR privacy protection that could, if fully implemented, bridge the gap from HIPAA protection of PHI in the covered entity and business associate realm to the Wild West environment in the world of PHRs.  Parties endorsing the Common Framework for Networked Personal Health Information include Microsoft, Google, payors, providers, IT vendors, and associations from AHIP to AARP. 

This framework has been in development for 18 months, and is being touted as the solution to the PHR privacy question -- i.e., how can PHR vendors be trusted to keep personal health record information private if they are not covered by HIPAA or other regulatory strictures.  The response to date has been, essentially: "Hey, we have a privacy policy."  As these policies, by their terms, may be revised without advance notice they are (even if they are very good) not much to rely upon.

Since this is a framework rather than a finished product -- guiding principles rather than fully-fleshed-out rules -- some of the same nagging questions that I have raised before elsewhere at HealthBlawg (as have many others) remain.  For example:

• How are privacy policies enforced?  Self-policing?  Third-party certification?  This seems to be up in the air at the moment.
• Is there a mechanism for health care provider certification of records ("chain of trust"), so that PHR information may be trusted by other providers?  This seems to be in the works.

There is a tremendous amount of information provided via the links above, and the participants in this effort are to be commended for their undertaking, which has been made necessary by the regulatory vacuum in this field and by the concomitant need to develop public trust in a whole new type of products and services that would otherwise bee seen as useful but perhaps too risky.  There's a long road ahead, but this framework puts us several steps down that road.

-- David Harlow
 

Patient compliance with prescription regimens, evil for-profit health care companies, and Health 2.0

Last week, Paul Levy blogged on patient compliance with drug regimens, offering some statistics courtesy of Express Scripts, the recently-fined PBM.  (I caught wind of Paul's post only yesterday, thanks to my wife the Luddite who has the Boston Globe delivered to our doorstep.) 

No surprise, compliance is kinda low.  Commenters on Paul's post noted -- among other things -- that (1) using the word "compliance" is un-PC, as it assumes that Doctor Knows Best, (2) MDs are run ragged by HMOs so they can't be expected to explain drug regimens to patients and (3) can't trust Express Scripts.

(Interestingly, as an aside, Express Scripts announced this spring the establishment of The Center for Cost-Effective Consumerism once it realized that it could influence consumers to switch to higher-profit-margin generic cholesterol medications.)

This brought to mind a troubling statistic I saw a few weeks ago: Massachusetts is number one in the nation for e-prescribing, but that only means that 13% of scrips are handled electronically.  The rate of adoption has been infernally slow here in Beantown, even worse elsewhere (top ten states include some barely above the 2.5% mark).  The federales may try to mandate encourage eprescribing using legislative carrots, and have laid the groundwork for a national e-prescribing system with uniform standards through regulations (see the e-prescribing regs issued recently by CMS (see related press release and e-prescribing page).      

The regs address many of the concerns of the naysayers (esp. interoperability, and also privacy concerns, though further legislative action -- e.g. "TRUST" -- would be helpful), and the potential benefits are enormous: avoiding the illegible scrawl/med error issue, automated drug interactions checks, cost savings to patients through improved and automated prescriber-insurer-pharmacy communication about formulary restrictions and -- back to Paul's issue --  feedback to prescribers regarding whether or not a prescription has been filled (many are not), giving prescribers and their staffs an opportunity to contact noncompliant patients with reminders or potentially other resources (including financial resources and referrals to sources of payment/insurance) to address the reasons for noncompliance.

-- David Harlow