Moses Cone Health System in Greensboro, NC, has sent letters offering free credit monitoring to 14,380 patients after a laptop computer containing confidential information was stolen from a vendor in Canton, GA. The health system said the information on the computer was not encrypted but was password-protected and contained a software program that requires training and expertise to use. Moses Cone said the health system does not know of any instance in which the information has been disclosed or misused or if the laptop was taken for that purpose.
Google Health and others in the fast-growing personal health record business say they are offering a revolutionary tool to help patients navigate a fragmented healthcare system. Some doctors, however, fear that inaccurate information from billing data could lead to improper treatment.
New federal HIPAA laws are here. Anxiety at hospitals is not.
That wasn’t the case in 2003, when providers scrambled for answers to comply with the new privacy and security rules of HIPAA.
Then, many even had trouble even getting the acronym right (admit it, we’ve all written "HIPPA" at one time or another).
Here we are today, six years later, and with a Congress eager to move the industry to EHRs by 2014—and even more eager to protect patients’ privacy in the process.
Now that Congress (finally) strengthened HIPAA enforcement and toughened compliance requirements through breach notification processes and accounting of disclosures on EHRs, what’s the reaction in the industry?
Well, picture this. It’s kind of like the Boston Celtics just signed Larry Bird. Not Larry Bird, the NBA Hall of Famer, three-time NBA champion and three-time NBA Most Valuable Player of the 1980s.
We’re talking about Larry Bird today—the 52-year-old, out-of-shape president of Basketball Operations for the Indiana Pacers.
If you’re the rest of the league, you’re not really sweating it.
Analysis: HITECH Gives HIPAA New Teeth
HITECH Act will impose stricter HIPAA requirements and stiffer penalties for violations. But at this point, the changes aren't worth losing a lot of sleep over. —Elyas Bakhtiari
"I'm afraid that at this time we are not moving too quickly with any changes in our practices," one privacy officer told us. "The corporate direction we have been given does not have us moving immediately to revise applicable policies/procedures. As we both know, once a bill is signed there are timetables by which compliance will be required and that, generally, allows organizations sufficient time to bring their practices up-to-date. We are, merely, digesting all the material that is coming out with respect to this Act."
That’s the Cliff’s Notes version of our research at this point. The key phrase here is reluctance—not ignorance.
Hospitals certainly plan to do something in light of security provisions in the HITECH Act. In fact, 98% of respondents in our HITECH survey of 300 privacy and security officers said they plan to revisit their HIPAA compliance and training programs.
"One thing I do see is people taking their policies off the shelf and revisiting them to see how they will need to be amended to accommodate those requirements and definitions which are soon to be established by those governmental entities as identified within the HITECH Act," says Frank Ruelas, MBA, the creator of www.hipaabootcamp.com who is based out of Scottsdale, AZ. "Sometimes it takes an event such as the passage of new legislation to serve as the tipping point to get folks to take action."
So why the reluctance now?
Our feedback tells us hospitals don’t want to move too much with regulations that have yet to be defined. And there are a host of them, including:
The definition of "unsecured protected health information"
What must be included in an accounting of disclosures in EHRs
When the Secretary of HHS will conduct audits of organizations
What "meaningful user" means on EHR
And in a shocker, hospitals said they just can’t invest money right now.
Furthermore, some providers told us they’re more worried about the Red Flags Rule deadline—May 1. Hospitals considered to be creditors must set up a policy and procedure that helps them identify "red flags" on identity theft, prevents them and corrects them through self-audits (the FTC last week came out with some nice guidance to help comply).
So where is your organization on the HITECH Act? Is the panic button a 2 or 3, or is it up to a 9 or even a 10?
If you’re like most of the industry it’s probably the former. And essentially, those hospitals with a strong HIPAA compliance and training program in place should be fine with the new regs. If you are confident your facility won’t have a breach, then you need not worry about federal auditors or breach notification requirements.
But for those who don’t have a policy in place—and perhaps those who have suffered a breach of privacy at one point (see: CVS)—then, well, maybe your panic level should be a 10.
Because after all, federal law is federal law. Just like Larry Bird is Larry Bird.
President Obama announced that his administration will create an electronic record for veterans that will "contain their administrative and medical information from the day they first enlist to the day that they are laid to rest." Obama has made electronic record-keeping a key feature of his healthcare reform effort, but a problem is how the military and VA hospital systems will be able to communicate with each other.
A robot is helping doctors and nurses at Clearwater Valley Hospital in Idaho expand their access to big-city medicine. The 5-foot-2-inch robot connects primary care doctors with psychiatrists and other specialists at Saint Alphonsus Regional Medical Center in Boise. It also allows nurses, while they treat patients or assist in the operating room, to be critiqued and guided by experts at the larger hospital. Casey Meza, chief executive officer of Clearwater, said the robot is opening a new realm of medical services that wouldn't be available otherwise.
The conference center in Chicago is buzzing about the American Recovery and Reinvestment Act. Just about every hand shot up when Howard Burde, JD, a partner and health law practice group leader with the law firm, Blank Rome, LLP, asked attendees, "How many of you have a new favorite hobby: researching the ARRA?"
Providers are looking for answers to key questions:
What's in it for me?
What are the important dates and deadlines?
How do I secure the funds?
How will the feds define "meaningful use?"
During a session on strategies to manage the opportunities and risks for health IT in the economic stimulus, Burde said the ARRA, aka stimulus law, redefines government and private sector roles. "The federal government is taking over as the strategic leader," he said.
The main focus of the ARRA is to stimulate the economy, but it's also trying to reform healthcare at the same time, said Charles Christian, director of information systems and CIO at Good Samaritan Hospital in southwest Indiana. Healthcare IT can yield tremendous savings, but there are challenges to achieving those goals. For example, there is the manpower question. Do vendors and providers have enough staff members to implement all of this technology? The general consensus is no.
In addition, organizations have to revamp their processes if they are going to improve healthcare by the appropriate application of technology. "Just installing technology will not fix the problem," said Christian. "We are hoping this will give us the capital, but we are expected to do the work and show the outcome of that work before we get a nickel."
The law fundamentally redefines the language of heath IT—what is a qualified EHR and who will be the certifying agency. But one element the health IT section of the law doesn't include is accounting for disclosures, said Burde. That is in a different part of the law. "They didn't integrate a lot of the pieces together," he says. "Congress is counting on the regulatory process to fill it in."
So what will be the minimum necessary disclosure requirements? Will nurses and physicians have to enter a reason every time that want to access the EHR? Imagine the impact on workflow that would have in the provider setting. "Our job going forward will be to ensure that these disclosure requirements reflect reality," said Burde.
There are still a lot of questions about the stimulus package, but organizations shouldn't wait too long to start implementing their IT strategy, experts say. "It's not time to panic, but it is also not time to procrastinate," advised Christian.