The FBI and Virginia State Police are searching for hackers who demanded that the state pay them a $10 million ransom for the return of millions of personal pharmaceutical records they say they stole from the state's prescription drug database. The hackers claim to have accessed 8 million patient records and 35 million prescriptions collected by the Prescription Monitoring Program. Read more about this topic in HealthLeaders Media's Daily News & Analysis.
Providers and vendors alike are anxiously waiting for HHS to establish a clear definition of "meaningful use" as a prerequisite for eligibility to tap into the $19 billion in EHR incentives available under the American Recovery and Reinvestment Act (ARRA) of 2009.
What we know is that for hospitals, meaningful use will include the ability to exchange health information, provide decision support for physician order entry, and submit data related to clinical quality and other measures that HHS selects. For physicians, it will also include an electronic prescribing capability.
One big unknown is the specific quality measures hospitals must report to be eligible for incentives.
The FY 2010 Inpatient Prospective Payment System (IPPS) proposed rule that CMS released May 1 referenced the Health Information Technology for Economic and Clinical Health Act, but only to say that HHS will select the ARRA measures in a separate rulemaking process.
The proposed rule also reiterated the fact that ARRA requires HHS to give preference to those clinical quality measures that have been selected for the RHQDAPU program, and it highlights the overlap between the two efforts. Specifically, the rule states the following:
The RHQDAPU program and the HITECH Act have important areas of overlap and synergy with respect to the reporting of quality measures using EHRs. We believe the financial incentives under the HITECH Act for the adoption and meaningful use of certified EHR technology by hospitals will encourage the adoption and use of certified EHRs for the reporting of clinical quality measures under the RHQDAPU program. Further, these efforts to test the submission of quality data through EHRs may provide a foundation for establishing the capacity of hospitals to send, and for CMS to receive, quality measures via hospital EHRs for future RHQDAPU program measures.
Another big unknown is what the requirements for decision support will entail. There a variety of different elements that decision support could include, says Kelly McLendon, RHIA, president of Health Information Xperts, LLC, in Titusville, FL. For example, it could include dose range, error checking, allergy notification, protocols, clinical pathways, or templates. All of these functions are part of decision support, he says, and each one has its own unique implementation challenges.
Interoperability is perhaps one of the largest unknowns. Aside from the technical and logistical aspects of exchanging information, hospitals should consider the ramifications of information exchange with other entities, McLendon says. "What information do we send and when? Will the information from another hospital become part of the receiving hospital's legal health record?"
The laundry list of unknowns has left providers trying to make sense of the regulation. But the lack of information hasn't precluded several professional organizations from weighing in with their thoughts on what a definition of meaningful use should entail.
The Healthcare Information and Management Systems Society (HIMSS) published its definition of meaningful use on April 27—one day before the National Committee on Vital and Health Statistics (NCVHS) would hold a two-day hearing in Washington, DC on the topic.
When it comes to the Red Flags Rule, the Federal Trade Commission's mandate that creditors establish an identity theft prevention program, an expert says facilities should not sound the sirens.
"Our plan is to train staff to look for red flags and to bring it to the privacy officer's attention," Chris Simons, RHIA, director of UM & HIMS and the privacy officer of Spring Harbor Hospital in Westbrook, ME, tells HealthLeaders Media.
"We certainly don't want registration staff confronting patients or getting in the way of providing medical care when patients need it."
Spring Harbor is ahead of the game. It established its Red Flags Rule program before the FTC's original May 1 deadline. Last week, the regulators pushed compliance back to August 1.
"This is good training any time, so I am fine that we are ahead of the curve," Simons says.
The rule forces any organization considered to be a "creditor" to implement programs to identify, detect, and respond to patterns, practices, or specific activities that could indicate identity theft. "Creditors," the FTC says, are agencies that regularly extend or renew credit–or arrange for others to do so–and includes all entities that regularly permit deferred payments for goods or services. Simons and Spring Harbor followed the FTC guidelines to a tee. It wrote a policy that included potential red flags, established protocol when a red flag surfaces, and presented the program to its board of directors for approval.
It also rolled out a PowerPoint training presentation that included:
Admissions staff
Registration staff
Patient accounts staff
HIM
Clinicians
IS staff
In the training, the hospital identified potential red flags, such as:
Patient presents documents for identification that appear to be altered or forged
Patient's photo, identifying characteristics (e.g. ethnicity, sex, age) or signature does not appear to match what is on file
Social Security number or other identifier (e.g. insurance policy number or date of birth) is inconsistent with external information sources
Address/phone number or other demographic information is inconsistent with other sources of information
Medical records show treatment inconsistent with current presentation
Spring Harbor's Red Flags policy also identifies the privacy officer as the point of contact for any staff member who spots a red flag. The privacy officer then notifies the patient if the case was indeed determined as identity theft and acts accordingly to protect the victim.
Spring Harbor's policy also asks registration staff members to request picture IDs or at least two other forms of patient ID.
The key for your facility, just like it as Spring Harbor, is to identify discrepancies and refer to your policy when it happens.
"We focused on this from a patient safety point of view," Simons says. Simons says most facilities should have already had checks in place like these. It's just that now, the FTC has made enforcement formal through a regulation, which is similar to HIPAA through the HITECH Act.
"This is very timely," Simons says. "Every time you turn around, there's a breach."
Hackers last week broke into a Virginia state Web site used by pharmacists to track prescription drug abuse. They deleted records on more than 8 million patients and replaced the site's homepage with a ransom note demanding $10 million for the return of the records, according to a posting on Wikileaks.org, an online clearinghouse for leaked documents.
Ingenix has announced that Sutter Connect, a Sutter Health affiliate and healthcare management and administrative services company, has signed a five-year contract for Ingenix Impact Intelligence and services from Ingenix Consulting. Through the agreement, Sutter Connect will offer physicians in the Sutter Medical Network access to performance metrics and services they can use to measure and improve medical care and delivery, according to a release.
IBM Global Financing is adding a $2 billion financing component to help providers finance health IT initiatives tied to the American Recovery and Reinvestment Act. The Armonk, NY-based company said that the move will help "U.S. organizations move ahead with IT projects that could improve their infrastructure or competitive edge and point them in the direction of economic recovery."