Home » Guest articles » Recent Articles:

Bowtie Confidential 10/18/13

October 18, 2013 Guest articles No Comments

Help Prevent Breaches with HIPAA Compliance

Since every healthcare organization is affected by the passage of the HIPAA regulations, one would think that all should be working diligently on compliance. In addition, patient health information breaches are clearly out of control. Planning for HIPAA compliance is very similar to disaster planning – and breach is certainly a disaster. Yet there is little mention or urgency surrounding HIPAA compliance.

For instance, an organization that incurs a breach suffers significantly in terms of financial, public relations, and other functions that could result in disastrous outcomes for the organization. However, it appears that many organizations find it challenging to create a proper HIPAA security planning initiative. The benefits that come with complying with the current HIPAA Privacy Rule are beyond simply avoiding regulatory sanctions. The rule helps an organization avoid a disaster such as a breach.

Creating a best-practice security program addresses HIPAA compliance and can be used to build the foundation for future technology. Further, leveraging the tools and planning efforts of the organization’s disaster recovery plans and approach could also enhance the HIPAA compliance planning effort and identify areas where data may be compromised. Systems implemented today, such as computerized physician order entry, e-prescribing, picture archiving and communication systems, wireless data networks and electronic medical records, are very costly to secure post-implementation. When planning for new systems, many factors should be included in the requirements, such as a HIPAA-compliant security program. It helps organizations avoid expensive add-on security measures. HIPAA-compliant organizations can also reduce medical errors, increase patient satisfaction and trust, improve quality of care, and create operational efficiencies.

A five-step process

Using ISO (International Organization for Standardization) and National Institutes of Standards and Technology (NIST) standards, a five-step process to address and meet HIPAA security compliance can be accomplished. (Organization should always attempt to use ISO/NIST standards in developing these processes.)

The first step is to perform a formal risk assessment and gap analysis. The assessment helps guide the organization in decision-making and addresses required standards in the HIPAA security rule. A detailed assessment provides awareness of the organization’s assets and risks, and identifies controls to help manage those risks. This is similar to a business impact analysis when conducting either a disaster recovery or business continuity plan.

Next, the organization will be required to address compliance gaps which will result in a remediation plan. The plan should concentrate on the reasonable and appropriate people, process and technology requirements needed to attain and monitor compliance. This phase should be based on industry guidelines and frame the organization’s structure for ongoing security management, while complying with HIPAA security. A formal response and notification process is a key component, as it is in a business continuity/disaster recovery plan. Communication is critical to alerting and notifying key leadership, organizations and staff and to resolve interruption/breach.

Once the remediation plan has been accepted by the organization, implementation is next. Implementation includes process and technology changes needed to close identified gaps.

Once the gaps have been closed, the organization now turns to managing and testing the plan’s effectiveness. The objective is to keep gaps closed and develop contingency plans based upon the enhanced security infrastructure.
The final phase is to educate the organization to make the new changes part of the organization’s culture. Staff seems to be the weak link in an organization’s security, as it only takes one staff member to invalidate well-designed security controls. Ongoing security education and training should be provided for management, clinical, technical staff and the general user community. Training Business Associates should also be considered. It should be noted that the security plan is dynamic, and will need to be reviewed and monitored continuously. HIPAA compliance will help your organization’s privacy and security processes. Security planning can be synonymous with disaster planning and will reduce the likelihood of breaches.

One of critical tools used to protect patient health information is encryption. To find out more about encryption, such as what should be encrypted and how, see Hayes’ Shefali Mookencherry’s blog, The Time to Encrypt is now: HIPAA and Encryption.

10-18-2013 7-29-51 AM

Rob Drewniak is vice president, strategic and advisory services, for Hayes Management Consulting.

From the Consultant’s Corner 9/21/13

September 21, 2013 Guest articles No Comments

Get Ready, Here it Comes: Tips to Prepare for MU Stage 2
By Jason Drusak

This year is flying by. It seems like just yesterday that Meaningful Use (MU) Stage 1 kicked off. As we head into the last half of 2013, we’re thinking about the move from MU Stage 1 to MU Stage 2.

Since 2014 is implementation year for Stage 2, you’ll need to prepare for it in the third and fourth quarters of this year. So, how do you prepare? I haven’t seen any exact steps to follow for Stage 2, so I offer these five tips to help with an effective ramp-up.

Create a review team

You need to involve clinical, financial, and technology stakeholders in MU Stage 2 plans because Stage 2 reporting requirements are more clinical in nature than MU Stage 1. On the technology side, you need someone who’s responsible for the application, plus someone on the reporting side. In fact, I’d say that data gathering and reporting are the most important aspects on the technical side. After all, if everything isn’t entered correctly, the reports won’t be appropriate. 

Learn from what you’ve done

Stage 2 is the same as Stage 1 – but different. Look at what worked well in Stage 1 and learn from any mistakes you might have made. What would you do differently? With Stage 1, you focused on installing workflows to capture data for certain measures. Moving to Stage 2, you need to be sure you’re entering the actual data correctly for those measures. If there was an issue with data entry on a navigator section or an issue with a grouper or measure configuration: review setup and build for data entry, data gathering, and reporting output.

If in Stage 1 a site had issues in one of these areas, now would be a good time to assess how data is being entered for each measure in order to iron out the troubles before they become even larger in Stage 2. It’s important to review the workflows so that data entry is accessible for the clinician, as well as the system build for each measure. Additionally, you’ll want to confirm that data capture pieces are in place and configured correctly. Evaluating which reports are used to monitor progress will help ensure that they are formatted in a way that is easy to read and provides value.

Conduct a gap analysis

Compare Stage 1 work with Stage 2 requirements. Are there areas where you need to catch up? Data measures are changing and you will need to collect additional data; go ahead and set up workflow changes to capture that data now. For example, the threshold for the smoking measure is moving from 50 to 80 percent. Now is the time to put the new threshold in place.

Adjust monitoring reports for these measures so you can see which ones will meet the new requirements and what areas may need to be investigated for any shortcomings. One new core measure is lab orders must be directly entered into CPOE greater than 30 percent. Even though you don’t need the data today, turning this measure on and completing the build now will show your progress for compliance with this measure and will give you time to make any necessary changes before Stage 2 arrives.

Check your software

This is not the time to be retro. Examine the level at which your software is operating and be sure it’s up to date. I’ve noticed that major updates tend to come out about every other year – along with ongoing patches and fixes. Work with your technical team to look at big and small updates, allowing time for any needed upgrades. As obvious as it sounds, make sure you’re getting all the MU updates as soon as they’re available. Don’t wait until 2014 when Stage 2 is being implemented to get the latest versions of your programs. 

Test first

Don’t cram the night before the exam. Your upgrade plan needs to include testing before go-live. I’d say it’s close to impossible to test a report without some type of real data. You may have to scramble it to make it unidentifiable, but you need a realistic data environment for testing something as big as MU Stage 2.

MU Stage 2 is coming whether you’re ready or not. Stay ahead of the game by preparing for the 2014 implementation today.

9-21-2013 6-30-19 PM

Jason Drusak is manager of consulting services at Culbert Healthcare Solutions.

From the Consultant’s Corner 9/10/13

September 10, 2013 Guest articles No Comments

What’s Your EHR’s ROI?

Mention “return on investment” in the same breath as “electronic health record,” and you’re likely to get a mixed reaction because the promised benefits of reducing costs and improving quality have been offset by reduced physician productivity or dips in financial performance for many organizations. While these risks are real, the potential “soft” benefits of improved quality and enhanced patient satisfaction, as well as “hard” benefits of improved revenue, are also real.

Given the capital investment needed to purchase and implement an EHR, you’d think that every healthcare organization installing these applications would have documented baseline performance; set clearly defined goals in terms of quality, expenses, and revenues; and established processes for monitoring their progress toward meeting these goals. However, I’ve found that’s not the case for most organizations making these large-scale investments.

In my experience, those organizations that do actively monitor results and work toward specific ROI goals seem to have better success with their EHR implementation, both clinically and financially. While some may not be seeing a cash increase at the end of the day, they are closing the gap between expenses and revenue. More importantly, they are better positioned for competing in an evolving reimbursement landscape where there is a shift from volume to value.

So how do you define and measure the ROI for your EHR? Here’s where you can start.

Measure baseline performance. Before starting down the road to implementation, you have to understand key baseline performance measures, including patient satisfaction, physician productivity, revenue cycle performance, and perhaps most importantly, key quality measures. By understanding these measures, leadership can set quantifiable goals and monitor the progress toward those goals. What is not measured is not going to be managed, and what is not managed is not going to improve a practice’s quality-cost curve.

Set expected ROI goals, not just financial goals. While a practice may not see a purely financial return from its EHR investment for several years, it is important to monitor financial results in order to mitigate risks of decreased physician productivity and practice revenue. Because quality will play an increasingly important role in reimbursement, workflows and system build decisions during implementation must support the capture of clinical data in a manner that ensures reporting is transparent and efficient.

Monitor ongoing performance. Unfortunately, once the system is live, the work is not necessarily finished. Dashboards and reports must be utilized to continually monitor your organization’s performance and to compare results with expected outcomes. While the goal is to ensure continual improvement, this step also is effective in proactively identifying post-implementation problems.

By setting realistic goals for your EHR, defining performance measures, establishing baselines, and monitoring data over time, your organization can truly get a handle on whether the EHR is living up to expectations and delivering a solid return on investment.

Brad Boyd is vice president of sales and marketing for Culbert Healthcare Solutions.

From the Consultant’s Corner 6/27/13

June 27, 2013 Guest articles No Comments

Covering Your Bases: Preparing for ICD-10 Cash Flow Impacts
By Brad Boyd

You know those routine chart audits you regularly complete as part of your billing compliance program to make sure patient encounters are coded and documented correctly? That audit process can be invaluable when it comes to your ICD-10 conversion.

Imagine for a moment your organization’s conversion to ICD-10. You’ve trained your coders and physicians on the new code set and even done some test runs. Despite this, 30-60 days after October 2014—right around the holidays—your organization experiences a dramatic drop in cash flow. After looking into the issue, you realize that you’re not getting paid as much as you once were. Gaps between current documentation and coding processes and ICD-10 requirements will impact reimbursement.

To avoid this situation, I suggest to medical group clients that they leverage their current claim auditing and coding education program to look for gaps between ICD-9 and ICD-10 coding and documentation requirements, as well as reimbursement impacts. Here’s how the process works. After you audit your current charts for ICD-9 compliance, you determine what the reimbursement would be for those charts. You then figure out what needs to be documented to achieve the same level of reimbursement if the charts were coded in ICD-10, revealing potential gaps that need addressing.

One way to close gaps is through physician and coder education. I also suggest you go a step further and share information about gaps with your vendors who are currently in the process of designing upgrades to ICD-10 coding and documentation tools. By providing feedback about gaps to vendors right now, you give them the opportunity to address those disparities, further ensuring tools and solutions that adequately meet your organization’s needs.

Despite thorough planning, your organization’s cash flow may still take a hit for a period of time after ICD-10 goes into effect. As a further “insurance plan” against money loss, I recommend communicating with your biggest payers and trying to negotiate a worst-case scenario cash flow plan. You must be careful when broaching this topic. I suggest being fully transparent about your approach to ICD-10 implementation, showing the payer that you’ve done your due diligence. This could involve sharing your risk assessment, project plan for mitigating any anticipated risks, training programs for clinicians and coders and governance structure for the implementation.

Once payers understand that you’ve done everything you can to prepare, they may be open to discussing a short-term, emergency payment arrangement based on historical information about service volumes. I firmly believe that setting up this type of back-up plan can help your organization ensure adequate cash flow for a period of time as you work through unexpected issues with the new code set.

Although October 2014 may seem like a long way off, it will be here before we know it. Most of the organizations I work with are making steady progress toward implementing the new code set, having completed an impact assessment and project plan. However, I have noticed that organizations often underestimate the need to consider the potential cash flow impacts of the switch. Taking the time to understand and prepare for changes in cash flow can help your organization put mitigation strategies in place to support a smoother transition with limited disruptions.

Brad Boyd is vice president of sales and marketing for Culbert Healthcare Solutions.

Bowtie Confidential 6/7/13

Healthcare Data Governance and Data Stewardship

There is a wealth of articles about data governance, including one that I wrote earlier for HIStalk. It is becoming clear that in today’s complex healthcare environment, data governance and ownership are emerging disciplines with evolving definitions.

As the data-driven healthcare environment provides benefits (e.g., data aggregation enables more efficient care delivery, decision support systems, etc.) and the potential for risk/harm (e.g., incorrect data entry), the industry is realizing the importance of accurate healthcare data, which is dependent on technology.

Through data governance, organizations exercise control over the processes and methods used to input, aggregate, use and re-use data. Data stewardship is an evolving role in this space. The disciplines need to be seen as more than an IT responsibility and as the responsibility of end users as well.

To realize data’s full benefits and minimize potential risk, care providers and others with access to health data must follow sound data stewardship policies and procedures which address the security and privacy of patient data and the quality and integrity of data collected, stored and currently (and prospectively) used.

The data stewardship role is responsible for working with and managing data in terms of integration, consistent definitions, structures, metrics, derivations, etc. – strategic and tactical views of data that will enhance quality, metrics/reporting and efficiencies and effectiveness in delivering care. Both identifiable and de-identifiable data is included within this context. Healthcare environments will need different operations and solutions. However, the presence of data stewardship (an owner or custodian with authority and accountability for the use of health data) is needed.

What is data stewardship?

Healthcare data stewardship’s main objective is the management of the organization’s data assets to improve usability, accessibility, and quality. The data steward works with technology database administrators, data warehouse staff and others to:

  • Assist with approval of clinical and business naming standards
  • Develop consistent data definitions
  • Determine data aliases
  • Develop standard calculations and derivations
  • Document the business rules of the corporation
  • Monitor the data quality in the data warehouse
  • Define security requirements

As the demand for data warehouses (with reliable and “quality” data) has grown, so has the need for a data stewardship function. An integrated, enterprise-level view of the data provides the foundation for the shared data that is so critical in the data warehouse.

A typical healthcare organization should consider assigning one data steward to each major clinical/business / operational data subject area. These subject areas include business office, registration (admitting), radiology, laboratory, pharmacy, cardiology, etc. The size of the organization will dictate the number of data stewards needed. A small practice may need just one to oversee all of the data.

The data steward usually works with a select group of employees representing the assigned subject area. This “committee of peers” is responsible for resolving integration issues concerning their subject area. The results of the committee’s work are passed on to the data administrator for implementation into the corporate data models, meta-data repository, and ultimately, the data warehouse construct.

Just as there is a data architect in most data administration functions, there should be a "lead" data steward responsible for the work of the individual data stewards. The lead’s responsibility is to clearly establish each data steward’s domain.

With data stewardship and enhanced governance, an organization can improve data quality, protect sensitive data, promote efficient information sharing, provide trusted business-critical data, and manage information throughout its lifecycle. The data stewardship program enables organizations to develop a strategic approach to utilizing data as an asset to ensure the security and privacy of the data for/of their patients. The program can improve financial performance, increase operational effectiveness and efficiency, and allow full compliance with regulatory requirements.

Of course, it is not about data alone. Data stewards must work with businesses to map collection needs and, where possible, find better or more efficient sources. Then, the steward can create appropriate use policies to limit the collection of unnecessary data and, later on, audit data practices to ensure business compliance.

Data stewardship enables organizations to improve financial performance, increase operational effectiveness and efficiency, and allow full compliance with regulatory requirements.

Rob Drewniak is vice president, strategic and advisory services, for Hayes Management Consulting.

Platinum Sponsors




Gold Sponsors


Subscribe to Updates

Search All HIStalk Sites

Recent Comments

  1. Re: Walmart Health: Just had a great dental visit this morning, which was preceded by helpful reminders from Epic, and…

  2. NextGen announcement on Rusty makes me wonder why he was asked to leave abruptly. Knowing him, I can think of…

  3. "New Haven, CT-based medical billing and patient communications startup Inbox Health..." What you're literally saying here is that the firm…

  4. RE: Josephine County Public Health department in Oregon administer COVID-19 vaccines to fellow stranded motorists. "Hey, you guys over there…

  5. United is regularly referred to as "The Evil Empire" in the independent pediatric space (where I live). They are the…