HHS released an interim final rule on breach notification and the acceptable methods for covered entities (CEs) and business associates (BAs) to encrypt and destroy patient records in order to prevent breaches of protected health information (PHI).
The American Recovery and Reinvestment Act (ARRA) of 2009 required HHS to issue the final guidance, six months after President Barack Obama signed into law Title XIII of the ARRA — the Health Information Technology for Clinical and Economic Health (HITECH) Act.
The breach notification regulations take effect September 23.
However, covered entities need not worry about HHS enforcement until February 22, 2010.
HHS says in the Federal Register it will "use our enforcement discretion to not impose sanctions for failure to provide the required notifications for breaches that are discovered before 180 calendar days from the publication of this rule, or February 22, 2010."
The regulations include the following:
Notice to patients alerting them to breaches “without reasonable delay” within 60 days
Notice to CEs by BAs when BAs discover a breach
Notice to “prominent media outlets” about breaches of more than 500 patient records
Notice to “next of kin” about breaches of patients who are deceased
Notice to the secretary of HHS about breaches of 500 or more patient records without reasonable delay
Annual notice to the secretary of HHS of breaches of fewer than 500 patient records when their PHI is unsecure (which poses a significant financial risk or other harm to the individual)
The Federal Trade Commission (FTC) also issued its final rule requiring some Internet-based businesses to notify consumers when there is a breach of consumer PHI, according to an FTC press release issued Monday.
The FTC rule applies only to vendors that offer personal health records that “provide online repositories that people can use to keep track of their health information.” The rule also applies to entities that offer third-party applications for personal health records, according to the release.
“This is just another example of trying to put some more teeth into the HIPAA regulations,” says Chris Simons, RHIA, director of UM & HIM and the privacy officer at Spring Harbor Hospital in Westbrook, ME. “Covered entities should already have been notifying patients of any breaches. It is an industry best practice.”
Rebecca Herold, CISSP, CIPP, CISM, CISA, FLMI, privacy, security, and compliance consultant at Rebecca Herold & Associates, LLC, in Des Moines, IA, says it’s important to note the HHS interim final rule states that, in general, accidental disclosures within the same organization do not require notification.
The interim final rule states, “if there is no significant risk of harm to the individual, then no breach has occurred and no notification is required.”
“Privacy officers should be breathing a sigh of relief that those faxes sent by mistake to one doctor instead of another, for instance, will not be required to be reported,” Simons says.
In this week’s interim final guidance, HHS added encryption layers to specify the technologies and methods that render PHI “unusable, unreadable, or indecipherable to unauthorized individuals.” Some of these layers were not specified in the draft guidance released in April.
In the interim final rule, the definitions for acceptable encryption include the following. This guidance will be updated annually:
Electronic PHI encrypted as specified in the HIPAA Security Rule. This includes "the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key."
The definitions for acceptable destruction include the following:
Paper, film, or other hard copy media shredded or destroyed so PHI cannot be read or reconstructed. Redaction is specifically excluded as a means of data destruction.
ECRI Institute, a non-profit patient care research organization, has released a report criticizing the millions of dollars spent on physician preference items, medical supplies ordered primarily because they are preferred by the medical staff. "In order to attain the savings associated with acquisition of physician preference items, hospital leaders need to win the cooperation of the physicians through an evidence-based, value-focused process," said said ECRI COO Anthony Montagnolo in a statement.
Community Health Systems Inc., a Tennessee-based healthcare corporation, allegedly made illegal donations to New Mexico counties that contain three Community Health hospitals, according to an August 10 Albuquerque Journal article.
The whistleblower suit, which was filed in 2005 by a former employee, Robert C. Baker, suit claims Community Health made donations to the counties to subsidize the state's Medicaid contributions. The counties then allegedly turned that money over to the state as their Medicaid contribution. Because the federal government pays three times what the state pays for Medicaid, Community Health allegedly received a return on their investment plus triple the amount donated, according to the suit.
According to the article, Baker learned about the scheme when he took over as revenue manager for Eastern New Mexico Medical Center in Roswell, NM.
Is the third time a charm? That's the burning question on everyone's minds as the Office of the National Coordinator (ONC) begins to review the third set of recommendations set forth by the HIT Policy Committee's meaningful use work group.
Although the newest matrix closely follows the July version, the work group did add the following new footnotes:
While all process measures (e.g., computerized physician order entry [CPOE] adoption) apply to all eligible providers, applicability of quality or outcome measures to specialists will be defined in the rule-making process. In 2013, disease- and/or specialty-specific registries are included as objectives. Specific measures will be included in refinements to the 2013 recommendations.
Additional efficiency measures to consider for 2013 recommendations include: generic therapeutic substitutions for medications.
National Quality Forum is working with measure developers to refine existing administratively defined quality measures referenced in the matrix to be redefined using clinical and administrative data from EHRs.
Of note is that both the July and current versions of the matrix recommend that in 2011, hospitals must be able to prove they are using CPOE for at least 10% of orders (any type). According to the matrix, orders must be entered directly by the authorizing provider, such as an MD, DO, RN, PA, or NP. By 2013, that percentage would jump to 100%. By 2015, hospitals must be able to achieve certain levels of performance as dictated by yet-to-be-determined clinical outcomes standards.
On the physician practice side, providers must use CPOE for 100% of all order types beginning in 2011.
The CPOE requirement shouldn't be too burdensome for hospitals, says Kelly McLendon, RHIA, president of Health Information Xperts, LLC, in Titusville, FL, who adds that "the 10% is low" as compared to requirements for providers in the practice setting.
Another notable recommendation is that CMS withhold meaningful use payment for any entity until any confirmed HIPAA privacy or security violation has been resolved. In 2011, hospitals and providers must satisfy the following measures:
Full compliance with HIPAA privacy and security rules
Conduct or update a security risk assessment and implement security updates as necessary
In 2013, hospitals and providers must be able to provide summarized or de-identified data when reporting information for health purposes (e.g., public health, quality reporting, and research), where appropriate, so that important information is available with minimal privacy risk.
In 2015, hospitals and providers must be able to provide patients, on request, with a timely accounting of disclosures for treatment, payment, and healthcare operations, in compliance with applicable law. They must also be able to incorporate and use technology to segment sensitive data.
During the August 14 meeting, the certification/adoption work group also made several recommendations, including that multiple organizations should be deemed certifying agencies for EHRs as opposed to a single organization. In the interim, the Certification Commission for Health Information Technology will lead the way in mapping out certification criteria.
The HIT Policy Committee approved all of these recommendations and forwarded them to the ONC for review. The committee will meet again on September 18, October 27, and December 15. According to ARRA provisions, the ONC must finalize a definition of meaningful use no later than December 31.
Timothy Crowley, MD, told the Boston Globe that he was joking when he left a voicemail for a physician recruiter at a rival hospital: "You don't want to go to war with me. I'll take everything you got and everything you love and kill it."
Crowley's jest, which cost him his job when executives at Caritas Christi Health Care got wind of it, may have revealed more truth about the competitiveness of physician recruitment today than he realized.
Crowley left the voicemail after James Blakely, a recruiter for Mount Auburn Hospital, "fired the first shot" by trying to woo three Caritas physicians earlier in the year. According to the Globe report, the two were longtime friends and had once worked together, so the voicemail was intended as a "light-hearted joke." But the competition for physicians was very real, and neither hospital approached the situation with a sense of humor.
Competition for physicians is nothing new—hospitals in tough markets frequently try to steal away top surgeons or specialists from each other, particularly if doing so will boost a high-priority service line. But Mount Auburn and Caritas went to war over three primary care physicians, not specialists, and that may reflect the recruitment battlefield of the future.
The convergence of physician shortages and efforts to expand medical coverage is making recruitment more difficult, and more of a necessity, particularly in primary care.
How can we provide coverage for nearly 40 million more Americans with the physician workforce already strained in many areas? That problem may ultimately prove trickier to solve than many of the hot-button issues that are getting so much political attention today.
Massachusetts is an important bellwether. Although the state's healthcare plan is frequently maligned by opponents of healthcare reform, it has been fairly successful at expanding coverage (97% of the population is insured) without letting costs spiral out of control. And so far, no death panels.
The big obstacle for the state, however, is a shortage of physicians. A 2008 report found that 12 of 18 specialties in Massachusetts were in short supply, and shortages in family practice and internal medicine were critical.
Now extrapolate that to the rest of the country. The number of U.S. medical school students going into primary care has dropped nearly 52% since 1997, and other specialties are in short supply in certain areas.
Unfortunately all of the steps being taken to alleviate the problem—increasing primary care reimbursement, exploring different practice models, boosting training—are slow-moving and will take years to make a difference.
That means, like in Massachusetts, hospitals and medical groups around the country will see higher patient demand and have to compete for the same pool of physicians. A lot of hospitals are preparing to go to war over physician recruits; Crowley's just the only one who admitted it.
Note: You can sign up to receiveHealthLeaders Media PhysicianLeaders, a free weekly e-newsletter that features the top physician business headlines of the week from leading news sources.
CMS created the Recovery Audit Contractor (RAC) program as part of an effort to reduce improper Medicare payments by contracting independent auditors to detect and collect overpayments. The auditors are also charged with identifying underpayments, although during the RAC demonstration phase, about 25 times more overpayments were collected than underpayments paid ($980 million versus $37.8 million).
The demonstration project, which ended its three-year process in March 2008, is the best body of evidence we have to project what the permanent program will be like. The permanent program continues to roll out across the country, with the goal of having all four RAC regions, each responsible for one-quarter of the country, fully operational by 2010. Hospitals and other healthcare organizations interested in preserving their Medicare revenue—including already billed and collected funds—would do well to study the demonstration and learn as much as they can to prepare for a future where RAC audits will soon become an unavoidable reality.
You can do the following to protect your organization from RAC auditors:
Be forewarned. Assessing your risk is an important first step to understanding how big of a problem RAC could be for you. Review historic claims against RAC findings to get a ballpark estimate of how your organization would fare in an audit.
Be efficient. As you build your RAC processes, focus on efficiency in your work flows, reuse documents wherever possible, and always be on the lookout for ways to streamline your processes. New RAC work flow and documentation tools are coming to market now that can help.
Be aware. RAC correspondence is often sent to the hospital's general delivery mailbox, and many organizations are not set up to alert the right people as soon as this occurs. Payment retraction can be halted if FI-level appeals are filed within 30 days and QIC-level appeals within 60, so make sure your staff is trained to spot these letters immediately.
Be persistent. We see no reason not to appeal all the way to the Federal District Court level until standards emerge for what denials will and will not be overturned and why, especially when it comes to large-value claims.
Be consistent. Many billing organizations find themselves torn between clinicians seeking to provide the safest, highest-quality standards of care on one side and RAC auditors making them pay for exceeding basic thresholds of quality on the other. We are working with several organizations to write their own RAC rulebook, setting out well-substantiated standards of care for the organization and using that document to fend off both groups. The idea is to make internal and external organizations prove their case against your evidence.
Editor's note: Bowden is the president of consulting services at ClaimTrust, Inc. She may be reached atkbowden@claimtrust.com. This article was adapted from one that originally appeared in the August 2009 issue of Health Governance Report, a HealthLeaders Media publication.
Senator Charles E. Grassley, an Iowa Republican who has led a long-running investigation of conflicts of interest in medicine, is starting to put pressure on the National Institutes of Health to crack down on the practice of ghostwriting in medical research. The NIH underwrites much of the country's medical research. Many of the nation's top doctors depend on federal grants to support their work, and attaching fresh conditions to those grants could be a powerful lever for enforcing new ethical guidelines on universities, according to the New York Times.
Dr. Kurt Kastendieck, a family practice physician in New Mexico, talks about his experiences in a high-tech practice and offers advice to physicians considering adopting an EHR system. [Sponsored by Emdeon]
Note that CMS has not approved bronchoscopy services at this time for Florida providers.
However, CMS has approved the following new issue:
Clinical social worker (CSW) services. CSW services rendered during an inpatient hospital stay are not separately payable under Medicare Part B; they are included in the facility's prospective payment system (PPS) payment. CSW providers are expected to seek reimbursement from the facility.
Connolly has not yet posted approved issues for other states and territories in the region, including Alabama, Arkansas, Georgia, Louisiana, Mississippi, North Carolina, New Mexico, Oklahoma, Tennessee, Texas, West Virginia, as well as Puerto Rico and the U.S. Virgin Islands.
Yesterday's report that 39% more patients left their hospital beds against medical advice in 2007 compared with 10 years earlier caught one of the nation's leading hospital quality experts off guard.
"We had understood this is a growing problem, but these numbers and changes are significant and surprising," says James Conway, senior vice president for the Institute for Healthcare Improvement, adding that he understands "the circumstances that are allowing this to be the case."
The report, compiled by the federal Agency for Healthcare Research and Quality, said these patients who leave against medical advice (AMA) "may be at increased risk for adverse health outcomes" and "significantly higher (hospital) readmission rates compared to other patients."
They leave because of "financial considerations and stresses, family emergencies, self-assessment of their health status, or dissatisfaction with their treatment," the report said. "Understanding the characteristics of hospital stays that result in patients leaving AMA is critical to designing strategies to prevent premature hospital departures," the report concluded.
The study, which was drawn from the Healthcare Cost and Utilization Project, found that patients who were uninsured or covered by Medicaid accounted for nearly half of all patients who left AMA in 2007.
The number of patients who left AMA grew from 264,000 to 368,000 between 1997 and 2007. The increase was much higher than the increase of all other hospital stays, which grew by 13%, from 26 million to 29 million in those 10 years.
Also, the report found, the rate of AMA patient departures was twice as high in the areas of the Northeast, 2 patients per 1,000 population, compared with the Midwest, South or the West. Additionally, patients who got out of bed and left the hospital AMA stayed only 2.7 days, compared with 5.1 days for all other hospitalized patients, and incurred costs of $5,300 compared with $10,400.
The study discovered that in general, people who left AMA were more likely to be men than women, more likely to be living in poorest communities than in the wealthiest ones, and more likely to be living in urban areas than in rural ones.
Patients with alcohol-and substance–related disorders were 11.6 and 10.8 times more likely, respectively, to leave the hospital AMA than other patients.
The finding is a concern for physicians and hospital administrators for numerous reasons, documented in numerous studies published in peer-reviewed journals.
Patients who leave against medical advice are far more likely than other patients to require readmission within 30 days and when they are, they are likely to be much sicker and require more expensive care.
Patients who leave against medical advice are more likely than other patients to have mental and behavioral illnesses or substance abuse problems that cloud their judgment. That condition can compromise their ability to sign consent that they understand the consequences of leaving AMA, which in turn might influence a legal claim against a hospital or physician who was in charge of that patient's care.
Patients with medical and/or behavioral problems who leave a hospital AMA may put themselves and others in jeopardy, for example, if a patient with serious cardiovascular disease is driving a car or perhaps attempts to return to the workplace and use potentially hazardous equipment while their medical issues remain unresolved.
It is unclear whether Medicare or Medicaid will pay for care required within 30 days under new bundled payment agreements if the patient was found to be incapable of giving that consent.
Readmission rates are a huge concern also because of the wide disparity from state to state on how many patients are readmitted within 30 days of hospital discharge, a disparity that hospital officials and payers are trying to reduce. For example, according to a report earlier this year in the New England Journal of Medicine, in Illinois, New York, New Jersey, Mississippi, and Louisiana, nearly 22% of patients are readmitted within 30 days while in Idaho, Utah, Oregon, Hawaii, Washington, Montana, and Wyoming, the rates are below 17%.
Those reasons, in addition to attempting to provide a higher quality level of care in healthcare settings, have prompted much more aggressive efforts to first keep patients from leaving AMA. But if they are determined to leave, to make sure they have adequate support and monitoring wherever they are determined to go, Conway says.
He adds that the reasons patients leave AMA have been well documented, but are important for caregivers to fully understand so they can try to grapple with the underlying reasons the patient wants to leave.
For starters, he says, many have underlying behavioral and mental health issues and find the physical health care setting suffocating and/or intolerable.
The second reason patients leave is concern about paying the bill, especially if they are uninsured.
Third, they have family members such as small children they need to take care of. "They worry, 'who is going to take care of my mother while I'm here?'" Conway says.
The fourth reason is that as some patients begin to feel better, they don't see a need for hospitalization. They think, "I have a life to live," Conway says. They might not like the lights or the noise, or may feel they are not being treated well by hospital staff or nurses. They may want to smoke or perhaps don't like the food.
Finally, patients who leave the hospital AMA are much more likely than other patients to have done it before.
With all these aspects taken in concert, a profile of the person most likely to leave AMA can be developed. "We need to screen for this as a risk factor," Conway says.
That's why hospitals need to try to build the care plan around the patient who might leave AMA from the start. First, he says, hospitals need to begin discharge planning from day one; to find out what concerns patients have about their situations at home or wherever they are that might pressure them to leave before they are medically discharged.
In some hospitals, discharge planning begins before the patient even arrives at the hospital door.
"Historically, we have not built the care plan around the patient. The patient is only told what the care plan is," he says.
Conway says that at IHI, and many facilities around the country, hospital planners are trying to determine how they can, from the start, "put together a range of options that allow the patient to get better even though they've left the hospital, without them reappearing in two weeks because the disease has gotten worse.
"We have to set up a plan B, and negotiate with the patient to follow that plan, because if we keep focusing on plan A, they will opt out."
Some strategies include making sure that the patient comes to a walk-in-clinic every other day, or agrees to accept a phone call check-in every day after the patient returns home.
"Of course the hospital team wants to have the patient in bed for four days, but when it becomes obvious the patient is determined to leave, how do we come up with a model that does some of the care on the outpatient side?"
Conway is optimistic, but realistic at the same time. "We know we can do a significant amount of work that can reduce the number of AMAs," he says. "Will it ever go away entirely? Probably not. People will be people."
