Attorneys for more than 400 plaintiffs filed a class-action lawsuit against Nationwide Insurance this week, claiming that the company sold Washington consumers illegal health plans that left them with insufficient coverage. The suit alleges that the insurer "unfairly and deceptively" sold fixed indemnity plans, which feature lump-sump payment limits. Plaintiffs said the plans do not comply with laws requiring certain minimum benefits.
We know you have plenty of spare time as you lead your hospital through an economic recession where the uninsured knock on your door and the insured don't answer the door when you come knocking for payment.
In your search, you will find 13 references, all under the Health Information Technology for Clinical and Economic Health (HITECH) Act, or Title XIII. Each one affects your HIPAA Security Rule compliance program in light of the new laws.
The problem?
No one knows what that means, exactly—at least not at this moment.
Congress gave the Department of Health & Human Services (HHS) 60 days from the February 17 signing of the Act–or Friday, April 17–to define "unsecured protected health information." So far, there has not been an announcement. If no definition is released, it goes to a default–one that includes all protected health information that is not secured by an encryption standard endorsed by the National Institute of Standards and Technology (NIST).
So how do you prepare now without that key definition? After all, the HITECH Act calls for strict notification requirements, all of which hinge upon breaches of "unsecured protected health information." The new requirements include:
Notification of all individuals whose unsecured PHI may have been disclosed or accessed
60-day window to notify those patients
Requirement to explain why you had to use the full 60 days to notify
Notification of prominent media outlets when breaches of unsecured PHI include 500 patient records or more
Immediate notification of the secretary of HHS on breaches of at least 500 patients
So, you can kind of see why this definition is important. Or is it? Should you be watching ever so closely for a definition?
"Don't hold your breath," says Kate Borten, CISSP, CISM, president of The Marblehead Group in Marblehead, MA.
Borten thinks the definition will matter, but she does not see it including any earth-shattering content that strays too far from what's already out there.
For instance, the Security Rule of 2003 already establishes encryption as a necessity for PHI flowing over the Internet and open networks. That encryption mandate goes back to the 1998 proposed Security Rule, Borten says. And the Healthcare Financing Administration came out with an Internet Security Policy in 1998.
"We've known we need to encrypt confidential data over the Internet for over a decade," Borten says.
Further, when you've got a federal department with no permanent leader–President Barack Obama nominated Kathleen Sebelius as the new secretary of HHS, but she has not been confirmed–how much can you do anyway?
Dena Boggan, CPC, CMC, CCP, HIPAA privacy/security officer for St. Dominic Jackson Memorial Hospital in Jackson, MS, says organizations have come a long way encrypting data already.
"We've come so far along making sure we've got under the Security Act everything protected, encrypted, and how to have a secure firewall, a hacker-proofed system and all of that," she says.
Organizations that have encrypted data are in good shape.
However, as Johnnie Cochrane might say, if you don't encrypt, you must equip. Look for any potential unsecured PHI and evaluate the need for encryption.
"It's free," Borten says. "We pay for it with our tax dollars. The resource is fabulous."
For the record, the general default definition of unsecured PHI in the HITECH Act is: "Protected health information that is not secured by a technology standard that renders protected health information unusable, unreadable, or indecipherable to unauthorized individuals and is developed or endorsed by a standards developing organization that is accredited by the American National Standards Institute."
When can they change the default definition? That's unclear now. Ultimately, things may not change a whole lot.
"As long as you're buying products that use known algorithms, you really should be fine," Borten says. "I don't think HHS or Congress expect organizations to throw out what they've done so far."
For one Washington hospital, making the move from Joint Commission accreditation to DNV Healthcare, Inc.'s NIAHO accreditation was a matter of research, timing . . . and moving at a lightning pace.
Group Health Central Hospital is part of Group Health Cooperative, an integrated delivery and financing system providing care to approximately 400,000 residents of Washington and Northern Idaho. The organization operates 26 primary care centers, three specialty centers, and one hospital.
"It all started out at the annual Institute for Healthcare Improvement National Forum," says Elizabeth Rosen, RN, BSN, director of quality and regulatory compliance for Central Hospital. "DNV was there, and I discussed the situation with them, and came back to share my interest with our leadership."
The hospital's chief of hospital medical staff, director of clinical operations, and Rosen met with DNV first to determine whether the change was worth pursuing. Next, they brought in hospital administration, the chief nursing officer, the vice president of acute care, and legal counsel.
"I had outlined a proposal with a comparison of The Joint Commission and NIAHO standards," says Rosen. "People were all positive, though there was some concern about the timeframe."
And what a timeframe it was—the hospital was due for a Joint Commission survey any time after January 1. Regardless of whether it was changing accrediting organizations, Group Health was subject to the survey, and could not change accrediting organizations if it had any outstanding requirements for improvement with the old accrediting organization.
The decision went from hospital leadership to the CEO of the overall organization.
"The CEO, in consultation with the board of trustees, made the final decision," says Rosen. "At the same time, this decision-making process was going on, we did a high level gap analysis to look at the differences between DNV and the Joint Commission, to understand where our focus areas would be."
The hospital's legal counsel reviewed the contract template, and the application was filled out during the decision-making process because everyone involved knew the change would have to happen fast.
"We made the final decision to withdraw from The Joint Commission, and immediately following withdrawal sent our application to DNV," says Rosen.
After signing the contract, the hospital began working with DNV to establish a timeline for the survey process—all in all, there was about a month between the signing of the contract and the arrival of DNV surveyors.
"We had to move very quickly," says Mary Lou Calise, RN, BS, MSQA, CPHQ, quality consultant for Group Health. "We needed to be very compliant in a very short time period."
Because there would be a time gap between Joint Commission and DNV accreditation, Rosen worked with the state Department of Health and the local CMS office to keep it up to speed about the hospital's accreditation status.
Leaving The Joint Commission
After submitting the withdrawal notice, the Group Health hospital administrator received a call from The Joint Commission account representative to schedule an exit interview.
"Toward the end of the interview they wanted to know the actual date of withdrawal," says Rosen. The letter had said "immediately." Whatever date is specified for the withdrawal, The Joint Commission sends a notification to CMS to say that the facility is no longer subject to The Joint Commission accreditation. It was unclear what implications, if any, the notice to CMS might have concerning the hospital's continuing Medicare certification.
"Our understanding was that our [Joint Commission accreditation] certificate was effective through mid-March 2009," says Rosen.
According to The Joint Commission representative, the minute you withdraw, however, you go into non-accreditation status, she says. Which left the hospital in a quandary—if you do not withdraw immediately, you are still subject to a Joint Commission survey at any time, even if the hospital is in the process of changing to a different accreditation body.
"We were a little surprised at that," says Rosen. "So we reviewed the situation with our attorney and with our accreditation consultant at The Greeley Company, and were assured it was not a significant issue."
Once NIAHO accreditation has been achieved, the next step will be implementing the second component to DNV accreditation—use of ISO-9001.
"ISO-9001 is centered around quality," says Calise. "Industry has been doing it for a long time. It's looking at processes, making sure you're meeting the standards you're reaching for, and if not, adjusting them to make sure you do."
Why is it that many of the same companies appear repeatedly on lists of the best places to work, the best providers of customer service, and the most profitable in their industries? When we talk with the leaders of these organizations, some of who have changed the rules for competing in entire industries, they point to culture as a primary reason for their success. Just as important, culture is an advantage that competitors find hard to duplicate.
What do managers at the best places to work understand that others don't? For one thing, they recognize that culture is anything but the soft, mushy set of platitudes some leaders think it is. They understand that the identification of organization values is meaningless without a determination of the behaviors, measures, and actions that reinforce those values. They know that strong cultures can lead to success or to failure—depending on their capability to foster and deal with change. That may be another reason culture gets a bad rap in some corporate circles.
People like Al Stubblefield, CEO of Baptist Health Care in Pensacola, FL, understand that strong and adaptive cultures can foster innovation, productivity, and a sense of ownership among employees and customer—all important elements in leveraging value over costs. Stubblefield knows that it's possible to develop a strong and adaptive ownership-based culture where one hasn't previously existed.
Owners are employees who go the extra mile to recommend friends and others as potential colleagues. They suggest ways of improving products, services, processes, and relationships. Our research into a group of world-class companies that foster employee ownership reveal four practices that help explain how they got there.
1. Create a strongly shared sense of purpose, falling just short of that of a cult. Purpose is self-evident in the work of some organizations. Few would question that Baptist Health Care is in the business of saving and improving the quality of lives.At Baptist, the quest is to provide superior service to "customers" (not patients) and to "improve the quality of life for people and communities served." To accomplish this goal, hospital employees as well as physicians must exhibit behaviors that are not typical of their professions.For example, those who engage customers directly must be able to work in teams, something that is difficult for many medical practitioners, especially doctors who have been placed on a pedestal in the past. Senior management must be willing to spend time on the front lines making the rounds with employees. In short, at Baptist Health Care, quality care and phenomenal levels of patient satisfaction require adherence to unconventional practices.Constructing such a culture begins with the creation of a working environment that will attract the most talented employees—those who can establish extended, profitable relationships with targeted customers.2. Establish a clear set of values and behaviors that embody a shared purpose. Stubblefield engaged Baptist Health Care's entire organization in establishing a new set of values and behavior. The process began with a two-day meeting for the senior management team, who then spent four months enlisting everyone else to discuss the following three questions:
Why do we exist? (What is our mission?)
What are we striving to become? (What is our vision?)
What guides our everyday behavior? (What are our values?)
The discussions took place among focus groups throughout the organization, with senior management involvement at several levels. During these meetings, leaders also posed the question, "What makes a great culture?" The employee responses helped outline critical core behaviors: open communication of performance feedback and ideas for doing things better, a "no secrets" environment in which the bad news is shared along with the good, and a "no excuses" environment in which employees are accountable for actions and results. The organization-wide outcome appears in the Baptist Health Care Vision, Values, and Five Pillars of Operational Excellence.3. Constant communication of purpose and values through senior management behavior, organization-wide performance metrics, and corrective actions when necessary. Communication is constant and multifaceted at Baptist. Both good and bad news regarding organization performance is regularly posted in the cafeteria. Employee forums, where letters from customers are often read, are videotaped for distribution and later viewing. And the company's intranet is heavily used.Communication can take unusual forms. For example, BHC "borrowed" what is known as the Daily Line-Up from the Ritz-Carlton, in which employees participate in a daily lineup at the start of their shifts. During each lineup, managers present one new service initiative or behavior, entertain suggestions, and recognize any employees who have demonstrated outstanding performance. BHC Daily Line-Up works in the same way. Every team convenes for a few minutes a day to share a concept and suggest a training idea.
In BHC's Listening and Learning program, managers lead discussions on subjects such as survey results, and they solicit ideas for ways to improve customer service. The resulting "customer snapshot reports" compile all of the employees' observations and ideas for general distribution.
4. Strong leadership that both reinforces the culture and preserves its adaptability. Cultures take shape with or without leadership, but rarely does a competitively superior culture emerge without it. Effective leaders set the tone for an organization through their own behaviors. For example, at Baptist, people at all levels are encouraged to engage in several "Baptist behaviors" that are peculiar to the organization—and sometimes startling to customers—but have a functional purpose. One of these is the custom of picking up trash (something Bill Marriott also does at his company's hotel properties).
Then there is the "Baptist shuffle," in which leaders take the time to erase scuff marks left by shoes on polished floors. Another is walking people in need of direction to their destinations. Everyone, starting with Stubblefield, does these things all the time, in part because they foster a sense of being part of a culture that is something special.
Good leaders reinforce culture by demonstrating accountability for behaviors and results that foster the same attitude among employees. At Baptist, this begins with "Traditions," a two-day orientation. Half the time is focused on BHC's culture. This session is followed by "ServU," a half-day refresher course for employees who are completing six months of service and have had a chance to observe and work in the culture.
ServU focuses almost exclusively on the way employees understand and experience the BHC culture. In particular, the discussion covers the standards of performance for 10 specific behaviors: attitude, appearance, communication, call lights (which all hospital employees are responsible for answering), commitment to coworkers, customer waiting, elevator etiquette, privacy, safety awareness, and sense of ownership. The BHC employee standards team also devises ways of celebrating the "standard of the month" on a rotating basis.
The BHC story shows clearly how a strong culture creates the potential for high performance. We say "potential" because some of our other research has suggested that strong cultures by themselves are not enough to drive long-term success. Leaders who foster a strong ownership culture must also preserve its ability to adapt to a changing environment. They do it by emphasizing practices that help the organization and its people grow: continuous improvement, "best practice" exchange, innovation in products and services, as well as management systems, education for personal development, and—again—communication, communication, communication.
The perils of success
Building and maintaining a winning culture takes work and constant vigilance. By the time we caught up with Stubblefield in late 2006, the organization's dilemma reflected the success of previous years. Baptist's customer satisfaction scores had fallen back to the 98th percentile. Everyone knew about it because the practice of sharing good and bad news involved, among other things, posting scores in the company cafeteria.
As Stubblefield put it, "When we dropped to 98 after seven years at 99, [the employees] panicked. They had a 'back to basics' course—put every employee in the organization through it. Because we fell to the 98th percentile." Notice that it was the employee owners who panicked and got to work to reinforce the culture at BHC.
Indeed, culture may truly represent a source of competitive advantage that most organizations have ignored. No wonder Rackspace CEO Lanham Napier says, "Our culture and the awesome people we have are the things I am most proud of, as well as creating an environment where people get to do what they do best. I would say it's impossible for our competitors to copy. They'd have to start over and build it from scratch."
James L. Heskett and W Earl Sasser, Jr. are both Baker Foundation professors at Harvard Business School. Joe Wheeler is the executive director of the Service Profit Chain Institute. All are co-authors of The Ownership Quotient: Putting the Service Profit Chain to Work for Unbeatable Competitive Advantage.
For information on how you can contribute to HealthLeaders Media online, please read our Editorial Guidelines.
A group of 12 healthcare organizations, including the American Hospital Association, has urged CMS to withdraw or delay the recent policy change regarding physician supervision of hospital outpatient services, according to an April 15 article on the AHA's Web site, AHA News Now. The organizations recommended that CMS suspend enforcement of the policy until the agency can address all related concerns.
The policy, which CMS announced in the 2009 OPPS final rule, requires a physician privileged by the hospital to be present in a department of the hospital, or its outpatient departments furnishing outpatient therapeutic services, both on and off campus.
In its April 15 letter to CMS, the group says the policy "places a considerable burden on hospitals, requiring them to engage more physicians for direct supervisory coverage without a clear clinical need."
The letter also states that "the impact will be particularly severe for small or rural hospitals, such as critical access hospitals, which are often the only source of outpatient hospital services within many miles and which are in locations which may have only one or two physicians in the entire community."
Kimberly Anderwood Hoy, JD, CPC, director of Medicare and compliance for HCPro, Inc., in Marblehead, MA says the letter is "a good start, because certainly hospitals have felt that this was an onerous burden."
In the 2009 OPPS final rule, CMS stated that lack of direct physician supervision was a quality concern. The letter responds that "beyond this statement, CMS offers no evidence to support the assertion that quality is affected at these sites of service when there is no direct supervision. If quality is one of the reasons for imposing this new requirement, then CMS must make available the data that supports this contention."
Hoy points out that many of the services affected by the current policy (for example, infusion and wound care) are also delivered by home health nurses in a patient's home without a physician present. "It doesn't make sense for CMS to limit coverage of these services without a physician present in the outpatient department, when they are being done safely, without a physician present by home health nurses in patient's homes," she says.
Second, CMS argued in the final rule that the policy was a clarification rather than a change. The letter draws attention to the confusion this position has caused within the industry: "CMS' intent…was not clear in the 2009 OPPS proposed rule. There was a clear lack of effective and adequate notice about the CMS policy change . . . therefore, many in the field missed the opportunity to address the substantial impact this policy change would have on providers and physicians."
Hoy says that even if opponents of the policy were to concede to CMS that this policy has always been its intent, that doesn't mean that CMS shouldn't take a look at how delivery of health care has changed in the past ten years. "They may need to re-examine the policy in light of the lack of safety concerns that have arisen," she says.
Hoy adds that a strength of the letter is that many reputable associations without a common agenda back it. She suggests that while CMS could dismiss the concerns of individual hospitals as biased, a letter from the principal associations commands more attention.
The letter concludes with a call upon CMS to hold a special Open Door Forum or Town Hall meeting to address the policy and the problems it is creating. This, it says, "would be an important first step . . . ensure it provides the hospital and physician community with the opportunity to provide full feedback on the new policy's impact."
Hoy says such a meeting would offer the industry an opportunity to discuss the CMS basis for saying that the policy is necessary for quality.
Bryn Evans, CPC-A, is a managing editor withHCPro, Inc.
Medical directors working in nonhospital-owned group practices receive higher compensation than their counterparts working in hospital-owned group practices, according to a recent study conducted by the Medical Group Management Association. "Medical Directorship/On Call Compensation Survey: 2009 Report Based on 2008 Data" reveals that nonsurgical specialists in nonhospital-owned practices received $27,400 more annually than those who work in hospital-owned practices, among other pay discrepancies.
Vast pay discrepancies between medical directors may be in part due to the role's shady history in hospitals. In the past, medical directors received generous salaries yet had vague job descriptions. "That's a big Stark no-no," says William Cors, MD, CMSL, president of medical staff services at The Greeley Company, a division of HCPro, Inc. in Marblehead, MA. Regulators cracked down on such arrangements, which often disguised a hospital's efforts to secure the allegiance of a physician or group of physicians, he explains.
Often, medical directorships were given to senior physician who were well liked, and their primary responsibilities were to smooth over medical staff issues and deal with disruptive physicians, adds Donald Thomas, CEO and CMO of Mentat Systems Inc., a healthcare consulting and direct management firm in St Petersburg Beach, FL. "[Hospitals] would pay them an out-to-pasture salary and didn't ask much of them."
Most hospitals have learned their lesson (let's hope) and are careful not to pay medical directors above and beyond fair market value, but the role of the medical director is still hazy in the hospital setting—hence the continued pay discrepancies. Nonhospital-owned physician groups have given medical directors executive-level responsibilities from the get-go, says Thomas, which means they get paid more because they do more.
Despite the medical director's historically unclear role in hospitals, Cors argues that properly designed medical directorships can serve as the backbone of an effective medical staff. "As more docs have less to do with the organized medical staff, quite frankly, someone has to do the work. One option is to have medical directors." However, for this model to work without tripping the Stark alarms and tarnishing a hospital's reputation, the hospital needs to define the medical director's responsibilities, create systems for assessing his or her performance, pay fair market value, and establish accountability (you know, like any other job).
"If hospitals were to require that the [medical director] be skilled in executive duties and hold their weight on the executive platform, they would get an ROI that far exceeds the amount they spend to pay them," says Thomas. He adds that the definition of a medical director should be no less clear than the role of a CIO, CEO, or COO and that the role should carry real and definable responsibilities. Those responsibilities should include the ability to read a basic balance sheet, create a budget, manage personnel issues, and "…all the stuff needed to manage an operating unit."
Liz Jones is an associate editor in the medical staff department atHCPro, Inc.