Privacy is Easy. Not.

November 28, 2011

As more health information is captured and stored digitally, storing, tagging and protecting data is becoming a major challenge, especially for smaller organizations which lack full-time IT staff.

A recent exchange on the Health Data Management website illustrates the problem. HDM blogger Rob Tholemeier, an IT analyst, posted the following comments under the heading “Privacy is Easy,”

“The interesting thing is that it is quite easy to implement significant deterrents against these sorts of inappropriate (snooping) accesses using the principle of notification.”

“Most EHRs provide an electronic logging mechanism that records each authorized access of health information.  The EHR usage log contains records of the person accessing the records, the information accessed, and the patient’s ID. All that would be required to greatly reduce the incidence of casual or criminal snooping would be to pass these log records against a patient notification profile.”

This prompted the following comment:

“This shows a complete lack of appreciation for how difficult it is to manage privacy and security in healthcare. Even with the required functionality that is now incorporated in every certified EHR it is not just as simple as turning it on. There are literally thousands of accesses daily to patient records, by care givers in multiple roles, and others involved in the case or encounter. VIP rules only address a fraction of these events. Without a third party solution to take the log data, index it and create the appropriate alerts and/or reports this task is not inconsequential.”

Are there any solutions on the horizon?

Maybe. The ONC recently began a new Data Segmentation Initiative. This will develop standards to electronically tag and separate sensitive health information.

For example, data segmentation would allow health care providers, consumers and other stakeholders to choose what specific pieces of health information to share and who can access these segments.

Battle Erupts Over ICD-10

November 17, 2011

“Everybody wants to get into the act,” was a classic line Jimmy Durante muttered when another comedian joined him on stage.

After the AMA’s surprise announcement that it will fight implementation of the coming ICD-10 standards, a number of organizations and individuals right, left and center have weighed in.

For example, a Forbes magazine reporter applauded the AMA action, writing:

“The Administration, between the stimulus bill and Obama Care, has jammed a number of ‘reforms’ down doctors’ throats with nary a gag. Since 2009 doctors have been told that they can’t own their own hospitals, they must use expensive and often buggy electronic health records, they have to work for 29.5% less, and they must kiss the rings of local hospitals and HMOs to form dubious partnerships called ACOs. Soon they will have to seek approval for treatments from an unelected 12-member panel of experts in rationing care.”

One key group to oppose the AMA (and support the current deadline) is AHIMA, where a top executive noted that administrative systems can be easily implemented for most primary care practices and specialty practices would only be using a small number of ICD-10 codes

Where do HIT vendors stand on this? If they sell to hospitals, they probably support the current October 2013 deadline because they have sold many of their customers on an implementation program. If they are one of the many small EHR vendors that sell to physician practices, they may be hoping for delay to avoid the cost of implementation.

Why are the physicians of the AMA (who are generally from smaller practices) so strongly opposed to the ICD-10 mandate?

Start with the fact that almost half of physician practices with five or fewer docs have yet to adopt an EHR. For various reasons, they just don’t want to go digital.

According to the AMA, its main concern is cost. AMA President Peter W. Carmel, MD, said the cost of ICD-10 implementation would be about $28,000 per physician and that a 10-physician practice would spend about $285,195 to make the coding change.

At Modern Healthcare’s HITS newsletter, Joe Goedert published excerpts from a number of letters pro and con.

One skeptic wrote “It is interesting that the shift to the new ICD-10 coding scheme is facing opposition from the AMA. The new system of coding offers increased specificity and granularity, thereby providing better diagnostics and targeted treatment of illnesses.”

Another opined, “The ICD-10 codes are free to everyone, unlike the AMA copyrighted CPT codes which continue to be mandated.”

The AMA is powerful, but not nearly as important as it used to be. Its membership has declined in the last decade and a number of other power centers, notably hospitals, health insurers and pharmaceutical companies have emerged.

New HIPAA Rules Set for 2012

November 7, 2011

In the world of the highly-publicized “mega-breech” of medical information (e.g. large health plans and academic medical centers) it is easy to forget that small breeches occur on a regular basis.

According to HHS, in 2010, the agency received more than 25,000 reports of smaller breaches affecting more than 50,000 individuals.

What do medical practices and smaller covered entities need to report?

Writing in the EMR and HIPAA newsletter recently, Jan McDavid, general counsel at HealthPort notes that “smaller, one- or two-record breaches do not require immediate notification to HHS. The HITECH Act says they should be aggregated and sent to HHS at the end of each year.”

McDavid adds that “The most common, inadvertent breaches within the ROI process involve sending the wrong record to the wrong person or third party. It is usually human error that produces these breaches.”

“For example, the CE (covered entity) gets a written request from an insurance company, attorney or patient for medical record #12345. Someone pulls the wrong medical record either paper-based or electronic, say medical record #12344 and sends it. The result—a breach!”

The attorney advises that when a breach occurs, the CE must evaluate whether it is necessary to send a notification to the patient.  When patients are notified, their reactions vary, the attorney said. “Sometimes we see ‘breach fatigue’ by patients. They hear so much about breaches that any leakage of their information is considered ‘no big deal’ and simply a reality of modern, high-tech times.

Complying with HIPAA privacy and security requirements will get harder for small medical groups in the next year.

Writing in a recent issue of Health Data Management, Joe Goedert reports that the HHS’ Office for Civil Rights (which enforces HIPAA) has published a proposed rule, mandated under the HITECH Act, to strengthen provisions of the HIPAA privacy, security and enforcement rules. OCR expects this year to release a final “omnibus” rule, which also will include changes to the breach notification rule.

Currently, CEs are liable for failure of their business associates to abide by HIPAA rules, but there are circumstantial exemptions. But under the proposed new rule those exemptions would be removed, exposing covered entities to liability for any violations by business associates.

The HDM reporter explains, “The exemptions were dropped in the proposed rule because legal liability under HIPAA would be expanded to business associates. The (new) rule also expanded the definition of ‘business associates’ to include health information exchanges, health information organizations, electronic prescribing gateways, patient safety organizations and vendors that contract with covered entities to offer personal health records to patients-making these entities also liable.”

This is a major expansion of HIPAA privacy protections to consumers, but also brings a new set of headaches to physician practices, which will now have to get new assurances from their business associates about privacy and security procedures.