Bowtie Confidential 10/18/13

Help Prevent Breaches with HIPAA Compliance

Since every healthcare organization is affected by the passage of the HIPAA regulations, one would think that all should be working diligently on compliance. In addition, patient health information breaches are clearly out of control. Planning for HIPAA compliance is very similar to disaster planning – and breach is certainly a disaster. Yet there is little mention or urgency surrounding HIPAA compliance.

For instance, an organization that incurs a breach suffers significantly in terms of financial, public relations, and other functions that could result in disastrous outcomes for the organization. However, it appears that many organizations find it challenging to create a proper HIPAA security planning initiative. The benefits that come with complying with the current HIPAA Privacy Rule are beyond simply avoiding regulatory sanctions. The rule helps an organization avoid a disaster such as a breach.

Creating a best-practice security program addresses HIPAA compliance and can be used to build the foundation for future technology. Further, leveraging the tools and planning efforts of the organization’s disaster recovery plans and approach could also enhance the HIPAA compliance planning effort and identify areas where data may be compromised. Systems implemented today, such as computerized physician order entry, e-prescribing, picture archiving and communication systems, wireless data networks and electronic medical records, are very costly to secure post-implementation. When planning for new systems, many factors should be included in the requirements, such as a HIPAA-compliant security program. It helps organizations avoid expensive add-on security measures. HIPAA-compliant organizations can also reduce medical errors, increase patient satisfaction and trust, improve quality of care, and create operational efficiencies.

A five-step process

Using ISO (International Organization for Standardization) and National Institutes of Standards and Technology (NIST) standards, a five-step process to address and meet HIPAA security compliance can be accomplished. (Organization should always attempt to use ISO/NIST standards in developing these processes.)

The first step is to perform a formal risk assessment and gap analysis. The assessment helps guide the organization in decision-making and addresses required standards in the HIPAA security rule. A detailed assessment provides awareness of the organization’s assets and risks, and identifies controls to help manage those risks. This is similar to a business impact analysis when conducting either a disaster recovery or business continuity plan.

Next, the organization will be required to address compliance gaps which will result in a remediation plan. The plan should concentrate on the reasonable and appropriate people, process and technology requirements needed to attain and monitor compliance. This phase should be based on industry guidelines and frame the organization’s structure for ongoing security management, while complying with HIPAA security. A formal response and notification process is a key component, as it is in a business continuity/disaster recovery plan. Communication is critical to alerting and notifying key leadership, organizations and staff and to resolve interruption/breach.

Once the remediation plan has been accepted by the organization, implementation is next. Implementation includes process and technology changes needed to close identified gaps.

Once the gaps have been closed, the organization now turns to managing and testing the plan’s effectiveness. The objective is to keep gaps closed and develop contingency plans based upon the enhanced security infrastructure.
The final phase is to educate the organization to make the new changes part of the organization’s culture. Staff seems to be the weak link in an organization’s security, as it only takes one staff member to invalidate well-designed security controls. Ongoing security education and training should be provided for management, clinical, technical staff and the general user community. Training Business Associates should also be considered. It should be noted that the security plan is dynamic, and will need to be reviewed and monitored continuously. HIPAA compliance will help your organization’s privacy and security processes. Security planning can be synonymous with disaster planning and will reduce the likelihood of breaches.

One of critical tools used to protect patient health information is encryption. To find out more about encryption, such as what should be encrypted and how, see Hayes’ Shefali Mookencherry’s blog, The Time to Encrypt is now: HIPAA and Encryption.

Rob Drewniak is vice president, strategic and advisory services, for Hayes Management Consulting.

News 10/17/13

CMS extends the registration period for the PQRS administrative claims-based reporting option and the PQRS Group Reporting Option from October 15 to October 18, 2013 to give providers additional time to register. Failure to participate in PQRS for 2013 triggers a 1.5 percent reduction in Medicare reimbursements in 2015.

e-MDs will integrate Phreesia’s point-of-care check-in solution into its EHR platform.

CareCloud CEO Albert Santalo tells the Boston Business Journal that his company may launch an IPO next year. The company also just announced the hiring of R. Scott Lentz as CFO, who was the CFO for Picis when it registered for its IPO and who has been involved in fund raising activities for other organizations throughout his career. Lentz also served as CFO for Aprima Medical and PracticeOne.

Waiting Room Solutions changes its name to WRS Health “to reflect its major expansion of service offerings.” Reading between the lines I take this to mean that in addition to its PM/EMR platform, WRS has expanded its offerings to include  transcription, bookkeeping, practice marketing, and other services. The company also announced the integration of PDR Network into its EMR.

Medfusion rebrands its recently reacquired Inuit Health patient portal technology back to its original name and adds Vern Davenport (formerly of MModal) and Buck Goldstein (UNC Chapel Hill) to its board.

A North Texas publication profiles two physicians in the same practice who have differing views on EMRs. Calvin Simmons, MD has used paper for 40 years and believes that using an EMR makes a physician less focused on the patient and more attentive to the computer; he also believes an EMR would slow him down. Meanwhile Edward Kremer, MD uses Practice Fusion and claims he “couldn’t function” without an EMR. Interestingly, both doctors claim to have patients that have left their care because they don’t like their approach to technology: some have dropped Simmons because they wanted digital records while others have left Kremer because “they didn’t like his faced glued to the screen.” Proof that there’s no pleasing everyone.

Riverside Medical Group (VA) selects athenaCollector for billing and practice management for its 300+ physicians.

Email Inga.

News 10/15/13

From Colonel Henry: “Re: MGMA. I wanted to pass on word that I enjoyed reading your impressions of the recent national MGMA show.  My company was prepared to bring our entire expo team to San Diego but decided against it when we saw the shortened exhibit hours. There are just so many shows to go to (we got to many state MGMA shows this year) and you have to weigh the overall value at all times. The shortened hours at the national show were the main reason for us not going. Thanks again for the always lively commentary.” Thanks for the kind words. It will be interesting to see whether MGMA opts for longer exhibit hours next year.

From Elise St. John: “Re: Souvenirs. I made it home from MGMA and thought I’d snap a quick pic of my collected treasures. The sports cream was for my aching feet.” I didn’t buy any sports cream (though that doesn’t sound like a bad idea) but I did pay $5 for  packet of eight band-aids to soothe my blisters. Maybe I’ll expense them to Mr. H.

eClinicalWorks reports a sold out crowd at last weekend’s 2013 National Users Conference in San Antonio, which featured demonstrations of the eClinicalWorks V10 EHR release, eClinicalWorks’ population health management and patient engagement tools, and over 100 educational sessions.

A local paper profiles the EMR implementations at three Kearney, NE clinics and apparently finds few providers who are happy with the new technology. A 26-doctor practice reports that staff resignations are at an all time high since starting its $1.5 million implementation, and at least one physician claims the system has added 150 minutes to his day. Another practice says the transition from paper to electronic records has required the temporary hiring of 12 workers and physicians don’t expect to recoup the cost of the investment. The manager of one clinic, however, says all his physicians are on board and they’d “never go back.”

ADP AdvancedMD says that over 1,000 users have downloaded its iPhone app since it debuted two months ago.

Aprima Medical offers its customers an option for offsite hosting services through Technology Solutions Providers, Inc.

Virginia Hospital Center Physician Group selects eClinicalWorks EHR for its 100 employed physicians and Washington Health System (PA) chooses eClinicalWorks EHR for the 87 physicians and 21 residents in its family practice residency program.

A RAND study finds that the primary driver of job satisfaction for physicians is being able to provide high-quality healthcare. EHR use impacts doctor job satisfaction because of worries that EHRs interfere with face-to-face patient interaction and increase clerical work by doctors. Physicians also have concerns that medical record accuracy may be negatively impacted when templates are used.

SRS hosts its annual User Summit this week in Greenwich, CT.

ZirMed says that so far in 2013  it has added over 900 clients, recorded 30 percent growth, and processed more than 2.2 billion transactions.

Capario launches CaparioOne, a redesigned web portal application for RCM.

More than 80 percent of medical practices participating in an MGMA survey express concern that the ACA insurance exchanges will increase patient collection burdens and offer low reimbursement rates. Still, the majority of medical practices see the  potential for exchanges to provide care to underserved patient populations. Forty percent of practices are still deciding whether or not to participate with new exchange insurance products.

Epocrates introduces Provider Directory to help members easily identify other clinicians for consultations and patient referrals.

ADP AdvancedMD debuts AdvancedInsight, a business intelligence reporting suite that provides a dashboard view of a practice’s finances.

Athenahealth earns the #3 spot on the list of 2013 Best Places to Work in Maine in the large employer category.

Practice Fusion guarantees it will be 2014 MU-ready by the end of 2013 and will pay up to $5,000 in EHR costs for any new customer who switches to a different EHR if Practice Fusion’s certification timing is not met.

Emdeon will pay its former CEO George Lazenby $2.4 million over the next two years, following his September 30th resignation. Breaking up may be hard to do, but I bet a couple of million bucks softens the blow.

EClinicalWorks adds Elsevier’s ExitCare technology for evidence-based patient education and discharge instructions into its EHR.

The children of parents who use a PHR are 2.5 times more likely to be compliant with well-child visits, according to a Kaiser Permanente study. The same children were also more likely to receive all their immunizations.

During the MGMA conference last week, several sessions were filled to capacity, leading a number of attendees to voice their displeasure. MGMA did the right thing and responded with a discount code for one free on-demand session.

The 122-provider Elmhurst Clinic (IL) deploys Phytel’s population health management suite to help clinic case managers and nurses manage recently discharged patients and ensure appropriate follow-up care.

3M Health Information Systems introduces the 3M Outpatient CDI Program, which offers consulting services for outpatient facilities and physician practices needing to improve the documentation and coding process.

Nuance Communications announces the Clinic 360 suite, an outsourced transcription service and application for physician practices that manages the dictation, review, editing, and sign-off of patient documents. Nuance also introduces a new version of Dragon Dictate Medical for Mac.

Email Inga.

MGMA13 Wrap-Up 10/9/13

I departed San Diego bright and early Wednesday morning and thanks to Wi-Fi on the plane I only have about 400 emails left to read (if I owe you a reply, please give me a day or two.)

I covered a fair amount of ground in my previous posts but here are a few random, if rambling musings. Hold on for the ride.

I had noticed a particular vendor posted several Tweets encouraging attendees to stop by their booth at specific times for a demo of their latest software. I headed to their booth at the specified time and had a conversation with an employee that went something like this:

Me: Is the demo of the new EMR version just for existing customers or would it be helpful for someone who just wants to see your EMR?

Vendor: It’s really for existing customers. Are you looking to buy a new EMR?

Me: Actually I am not with a practice.

Vendor: Oh, well you might just want to come back in a couple of hours and see our presentation on ICD-10 because that will include information applicable to anyone.

Me: Hmm. Okay.

So, I went away in frustration, wondering why I was not offered some sort of EMR demo, not to mention why Vendor would think a presentation on ICD-10 would be a good substitute for a look at their latest EMR software. Could it be because my badge did not say “practice administrator?” Maybe they were thinking I only wanted a demo to get in the drawing for their tablet giveaway. Maybe next year.

On the other hand, I had an amazing experience with the folks at CompuGroup Medical. The staff was wearing the t-shirts above, which I thought were quite clever. I told a couple of the ladies I really loved the shirts, and they mentioned they had been giving them away but had just run out. I expressed my disappointment, continued chatting a bit, and then the CEO Norbert Fischl walked over and told me he’d give me his t-shirt if I I took a few minutes to hear about their disease management platform. To clarify he did not give me the shirt off his back – just an extra one he was taking home. It was more than a fair trade and I learned about their offering that integrates patient data from EMRs, claims, labs, pharmacies and other sources to identify at-risk patients based on evidence-based clinical standards. Providers can then create personalized health goals for individual patients and track their progress. Their target market includes ACOs and payers that need tools for automating the chronic disease management process and for proactively identifying at-risk patients. CompuGroup also offers several EHR, PM, RCM, and portal solutions and internationally sells products for clinicians, hospitals, pharmacies, insurers, and the government. If there were an award for Best Effort to Draw Someone Into Your Booth and Look at Your Product, CompuGroup and Norbert would win hands down.

I chatted with one of the Practice Fusion reps for a while. They seem like a young and enthusiastic bunch, which gives me some insight into the company’s culture. I asked him how the company made money if the EMR was free, and he told me about the ads that display in the software. I tried to get him to tell me what the company was doing in terms of selling de-identified PHI but he claimed he didn’t know much about that. I’m pretty sure he was telling me the truth since he was primarily involved with getting providers signed up on the EMR. I believe he said that the company currently has 30,000 active physician users.

Speaking of Practice Fusion, I had a few conversations with folks about their recent $70 million round of funding. It seems to have a number of smart people scratching their heads, though one person did tell me he believes the company is well-run and does good job continually enhancing the product.

Julie at Clinicspectrum stopped me and told me a little bit about her company, which provides back office services for practices, hospitals, and billing services at a set rate of $6.50 per hour. They off-shore their services but you have to love the simplicity of the model.

I asked several vendors how the show was and the general consensus was very positive. Several expressed disappointment, however, with the limited amount of time the exhibit hall was open. One person shared MGMA’s explanation that they had studied trends from previous years and determined that most leads came in during the particular hours the hall was open this year. Perhaps, but if a vendor is investing thousands of dollars at a trade show and has flown in staff from across the country, I would think most rather have the exhibits open more than three hours a day. Not to mention that lunchtime overlapped the exhibit hall hours, meaning that attendees who wanted to eat had that much less time to check out the exhibits. It will be interesting to see if MGMA decides to keep the same schedule next year.

A friend told me I should check out PatientPoint and it was a good recommendation. Their platform includes a patient check-in/care coordination component that integrates with a practice’s EHR and scheduling system; an exam room piece that takes the place of traditional paper brochures so patients can read up on different conditions while waiting for the physician; an internal communication system for the practice; and, a waiting room monitor to display educational content. They also offer a platform for hospitals and for consumers. It’s all about coordinated care and patient engagement.

Speaking of engagement, it’s amusing to hear the different ways vendors attempt to engage people. As I strolled the aisles, I had eager sales reps ask if I wanted to save money on billing; if I was looking for new options to handle after-hours phone calls; if I had considered using automated patient reminders, etc.  Amy at Patient Prompt even offered me a 20 discount on her company’s appointment reminder services if I signed up at the show (I declined.)

I wanted to chat with the Aprima folks but I never could get anyone’s attention. I was happy to see they had their HIStalk Sponsor sign displayed, as did Wolters Kluwer, IMO, Allscripts, PatientKeper, Vitera, and about 20 others.

I bet we’ll see more and more companies like Ellkay, which offers data migration and conversion services for EHRs. They told me business is booming.

I noticed Allscripts was showing the FollowMyHealth portal, which they purchased from JarDogs earlier this year. The rep told me they have been selling more of the FollowMyHealth product than the Intuit/Medfusion platform because customers say it offers more functionality. Allscripts is selling FollowMyHealth to their own customers, as well as non-Allscripts practices.

MGMA’s Jeb Shepard and Jennifer Gasperini led a session offering updates on healthcare-related happenings in Washington. It covered a lot of ground and was informative but also pretty depressing. Jeb also gave an excellent and non-political explanation of the ACA and the insurance marketplace. The speakers offered their email addresses in case attendees have questions in the future. Duly noted.

In terms of booth traffic, athenahealth seemed to be buzzing every time I walked by. I also listened in on a demo and overheard one of the execs being drilled by a CIO-type on data security, connectivity guarantees, redundancy and similar topics. The answers were solid, giving me insight into some of athena’s success.

Sunday afternoon, while waiting for the exhibits to open, I chatted with an administrator from a large practice that uses Vitera. He had experience with a number of other products, including Greenway. He felt strongly that once the Vitera/Greenway merger was complete, the Greenway management team would be taking over because their product, reputation, and company culture was superior. I disagreed but shared this conversation with a few other folks over the next couple of days. The general consensus: Vista and the Vitera team will end up calling the shots, though the Greenway leaders may stay on for a while.

I may need to reflect on this a couple more days, but if I could pick a single word to summarize attendees’ general state of mind it would be “anxious.” Anxious, as in they see many changes looming in terms of payment models, practice ownership, and government regulations. Maximizing revenues and cutting costs remain the top priorities, meaning practices must figure out the most painless path to ICD-10, evaluate whether the benefits of later MU stages are worth the effort, and whether their physicians (and patients) would be better served if they consolidated with a health system or another group, or participated in an ACO, or converted to a PCMH model. HIT tools are available to ease some of the pains, but it’s no doubt overwhelming to find, implement, and pay for new products, especially as more vendors consolidate and products are sunset. Gosh, do I sound like the oft-pessimistic Mr. H with all this doom and gloom?

Thanks MGMA for a well-run, informative, and fun conference. See you next year in Vegas!

Email Inga.

From MGMA 10/8/13 Afternoon Update

I’m a little weary from my day so this update will be brief. I’ll have a complete wrap-up tomorrow.

I have an important announcement to make: I’ve decided to stay in San Diego and open a hair salon.

Dear Emdeon: please send me a pair of the lime green shoes.

Thanks Capario for displaying your HIStalk sign!

Sadly I missed out on NextGen’s chair massage.

My favorite booth. Cool couches, open, and welcoming.

If I hadn’t just had my picture taken in a boa at Greenway’s party I would have donned a fun get-up and taken advantage of Trizetto’s photo booth.

I don’t recall what Emdeon was giving away but a crowd of folks were hoping to win something big.

Nothing draws more people than a drawing for $1,000, courtesy of MGMA and their sponsors.

I intentionally went light on swag, but I am optimistic I will get an email from someone saying I won an iPad mini.

I have the best story to go with this tee shirt, and I will share it tomorrow. For now let’s just say that the CEO of CompuGroup Medical rocks.

Happy travels if you are heading home Tuesday. If you are still in San Diego tonight, I’ll be the one with swollen feet and flats.

Email Inga.