May 17, 2013

AMA Fails To Do Homework on ICD-11 Cost Analysis

The American Medical Association (AMA) failed to complete their homework assignment before concluding in a report that skipping ICD-10 to move directly to ICD-11 is not a feasible option. Just like CMS (see CMS prematurely dismisses the alternative option to forgo ICD-10 and implement ICD-11), the AMA failed to compare the total cost of implementing ICD-10 and then implementing ICD-11 to the total cost of foregoing ICD-10 to implement ICD-11 sooner. To make matters worse, the AMA's report openly states that they only performed a preliminary assessment of the feasibility of moving from ICD-9 directly to ICD-11.   Since when does one draw a final conclusion based on a preliminary assessment?  

Several statements in the report lead me to believe that the AMA prematurely issued this report without performing a comprehensive analysis in order to maintain political relationships with other healthcare stakeholders.    For example, the AMA states that "while many physicians have concerns about the costs and burden of ICD-10, there are many other stakeholders, including 24 government agencies, researchers, large payers, large health system providers, and public health entities, that support the conversion."    OK, let's think about that...the AMA acknowledges that physicians are concerned about the costs, and yet they offer no comparative analysis of the costs. Which relationships have the appearance of being more important to the AMA in this case:  physicians or others?

The AMA states that "stakeholders have already invested millions towards the adoption of ICD-10."   This is certainly true, but I do not see these sunken costs as an obvious reason to eliminate the ICD-11 option. Instead, I see these costs as one of the important variables in a simple equation:

x= total cost of ICD-10 implementation + total cost of ICD-11 (two complete implementations)

y=sunken cost of ICD-10 work + total cost of ICD-11 (one complete implementation + sunken cost of partial implementation)

Is x greater than or less than y?   As a physician I expect my professional organization to actually do the math before writing down an answer.  

And finally, the AMA makes an argument for ICD-10 because "some have speculated" that it could take 20 years to implement ICD-11.   This is really quite embarrassing, as even CMS stated in their  ICD-10 final rule that ICD-11 could be implemented as early as 2020.   In a recent  Health Affairs report informatics experts speculate that an accelerated ICD-11 implementation could occur in 5-7 years, and they are in agreement that we need to transition to ICD-11 sooner than 20 years from now.

I recognize AMA as a strong advocate for physicians, but I give the organization an "F" on this homework assignment.   

Posted at 06:30 AM in Current Affairs, ICD coding, Legal/Compliance, Physician Adoption | | Comments (0) | TrackBack (0)

| | | | | |

April 10, 2013

EHR Interoperability is a Nervous System

For those familiar with using email applications such as Outlook, Gmail or Apple Mail, it might not seem like it should be very hard to send and receive electronic health information.   But as it turns out, maintaining privacy, security, HIPAA compliance and electronic patient consent is very complex when exchanging electronic health data over the Internet.   It is not easy even for physicians and hospitals using fully functional EHRs.

Virtual Scenario:  Imagine that your patients’ electronic medical records are packaged in individual charged impulses that can propagate along the axons of a national health IT nervous system. This neuronal circuit provides the infrastructure needed to send one of those charged impulses containing the right information on the right patient to the right receiving provider whenever and wherever needed. As physicians know, the charged impulses will propagate along the tubular-shaped axon until they reach the terminal end, which does not directly connect with another axon. Instead, there is a gap or synapse which prevents the impulses from proceeding unless an intermediary event occurs. This constraint prevents chaotic, asynchronous transmissions of impulses that would result in unwanted movements or seizures. So, trusted intermediaries (i.e. neurotransmitters, ions) are needed at the gaps or synapses to enable axons to “talk” with one another in a standard and controlled manner. This allows the charged impulses to proceed in a synchronous manner. The axons, gaps, synapses and intermediaries must work together, or be “interoperable”, so that the charged impulses travel in a secure, coordinated manner all the way to their intended destination.

In this scenario the imaginary national health IT nervous system is analogous to the real-life health IT infrastructure being developed at the national and state levels through National Health Information Network (NHIN) Direct project and the State Health Information Exchange (HIE) Cooperative Program.   The charged impulses represent each patient’s electronic health information.  The axons represent each physician’s cable to the Internet.   The gap or synapse represents the present-day constraints on our ability to send and receive electronic health information to one another.   The trusted intermediaries represent local health information exchanges (local HIEs) and health information service providers (HISPs) that allow each physician’s axon to communicate through the Internet with axons from other physicians and hospitals.  The interoperability needed among all parts of the virtual health IT nervous system is analogous to the interoperability needed among all parts of the real-life health IT infrastructure including EHRs, local HIEs and HISPs.

The Nationwide Health Information Network (NHIN), through the NHIN Direct project, defines standards, services and policies at a national level for health IT interoperability.  At the core of NHIN Direct are trusted intermediaries that physicians can connect to in order to allow electronic health information to traverse the synapses between their axons and those from other physicians and hospitals.   These trusted entities are called health information service providers (HISPs). HISPs are able to authenticate the senders and recipients of electronic health information.   This provides verification regarding who really sent information and who really received it while also maintaining privacy and security while the data passes across the axonal synapses.

The Office of National Coordinator for Health IT (ONC) is making an effort to trickle down NHIN Direct standards and protocols to each state.   Through the State HIE Cooperative Program, ONC grants funds to states who submit plans to build statewide health IT infrastructure to support interoperable health information exchange.   In order to be funded the states must adhere to NHIN Direct standards.

For example, the Texas Health Services Authority (THSA) is using the grant funds to serve as a statewide convening entity that has gained consensus from a broad base of healthcare stakeholders on a three-pronged strategic plan for HIE in Texas:

  1. Local HIE Program— Local HIEs are another type of trusted intermediaries, like HISPs, that physicians can connect to in order to allow electronic health information to pass across the synapse to the axons of other physicians, labs, radiology centers, hospitals or others with electronic health information. Twelve local HIEs were launched in 2011-2012 with partial funding through the THSA’s Local HIE Grant Program. Some are currently operational and actively providing HIE connectivity to physicians and hospitals in their area 
  2. State-level IT infrastructure and services—The goal is to develop statewide infrastructure and services that can be used by local HIEs to help them provide HIE services locally as well as to enable exchange of data from one HIE to another (statewide HIE services); also to support a transparent governance structure and develop policies and strategies that guide maturation of statewide health IT infrastructure
  3. “White Space” initiative—The goal is to make available basic health information exchange services to physicians and hospitals in regions of the state without local HIEs (the “white space”) by creating a marketplace of health information service providers (HISPs); physicians can apply for “vouchers” from THSA to offset the initial costs of connecting with the HISP they select.
Physicians should stay abreast of health IT interoperability efforts like these, especially those in their own communities like the local HIE efforts in Texas.  Physician input and involvement in these initiatives helps ensure health IT is spliced into the healthcare industry's genome in way that promotes high quality care.

Posted at 09:51 AM in ARRA/Stimulus Funds, Current Affairs, EHR, Health Information Exchange, Health Reform, IT Physicians, Leadership | | Comments (0) | TrackBack (0)

| | | | | |

January 10, 2013

Vendors Can Raise EHR Safety, Lower Business Risks Through Patient Safety Organizations

Physicians are disturbed when patient care is put at risk due to a problem caused by their use of an electronic health record (EHR).    Although they will generally tolerate the situation when their reported problem is effectively managed in a transparent manner, there are a number of situations that engender scorn for their vendor.   The most common scorn-generating situation is when they feel that the patient safety issue they reported has not received a high enough priority from their vendor.   These situations should, and often do, resolve when the doctor and vendor communicate a clear understanding of the problem and circumstances.  

But it is another situation that I think is much more frustrating.   A physician’s expectation is that EHR vendors respond to patient safety issues in the same manner physicians respond to adverse medical events.   Physicians engage in peer review activities to not only analyze and resolve a specific adverse event, but also determine a plan that reduces the risk of the adverse event happening again.  The most common peer review activities provide legal protections from discovery which promotes transparency and more effective management of the problem.  Physicians analogously expect EHR vendors to not only fix their problem, but also to transparently fix it for all other physicians using their product.   This puts EHR vendors in a quandary because the legal protections of peer review activities extended to physicians are not extended to EHR vendors.  

Resolving this problem will require assistance from the federal and state governments.    Along those lines the Office of the National Coordinator for Health Information Technology (ONC) published a Health IT Safety Plan on December 21, 2012, and is accepting public comments on it until February 4, 2013.   I believe the most important aspect of this plan is the development and use of patient safety organizations (PSOs) to identify, aggregate, and analyze health IT safety events and hazard reports.    

The aviation industry continually improves passenger safety by engaging pilots in self-reporting of errors and dangerous conditions through an offer of immunity from sanctions.   The federal Patient Safety Act of 2005 provides an analogous environment allowing physicians in the outpatient setting to voluntarily report and share quality and patient safety information to AHRQ-certified PSOs without fear of legal discovery.   Most physicians are familiar with the secure nature of communications when they are involved in hospital quality improvement activities.    The information, documents, discussions and committee reports generated under the hospital’s umbrella of quality programs are held confidential and privileged.   Privileged communications cannot be disclosed and used in medical litigation without consent.   PSOs offer an analogous umbrella of protection for physicians in the ambulatory setting.    Physicians may voluntarily report patient safety issues or quality data from their outpatient practices to a PSO on a privileged and confidential basis.    The PSO can aggregate and analyze information from multiple physicians and healthcare entities to help identify, prioritize and reduce hazards that impede quality care.

The legal protections offered to physicians through PSOs are not currently extended to EHR vendors. They should be, and I will endorse that change in my comments to ONC’s Health IT Safety Plan.   But even without this change there are ways for EHR vendors to safely engage with PSOs today.    Let’s consider one such scenario:

Fictional scenario:  Community physicians and several EHR vendors are associated with the same patient safety organization (PSO). Dr. X is one of the physician members and his EHR vendor, VendorZ, is an analytical contractor with the PSO. After entering a digoxin dose in his EHR’s Medication Reconciliation screen, Dr. X discovered that the dose displays with a misplaced decimal point on the Medication History screen. He reports this dangerous dosing error to his PSO as a patient safety issue. The PSO notifies VendorZ. VendorZ begins working with Dr. X’s office to resolve the issue. Because VendorZ is an analytical contractor with the PSO to which this patient safety issue was reported, the reported problem, analyses, results and recommendations are confidential and privileged. When a solution is identified, there is no legal threat that disincentivizes the PSO or VendorZ to withhold this known problem and solution from other physicians in the PSO who use the same EHR. The PSO notifies all of those physicians who are members of the PSO and proactive work is done to prevent this same problem from harming patients in other practices.

EHR vendors are not inclined to openly discuss EHR problems when there is the threat of litigation against them for doing so, similar to fears physicians have with discussions of their own medical errors.   But this fictional scenario exemplifies one plausible way for EHR vendors and physicians to collaborate on health IT risks today under the protective umbrella of PSOs.

As stewards of safe, quality care physicians should have a basic understanding of PSOs and carefully consider opportunities that arise to engage with a PSO on initiatives to improve outpatient care in their community.   EHR vendors should demonstrate a similar stewardship by helping educate physicians about PSOs and engaging with physicians through PSOs to improve the safety of their EHR products.

Posted at 09:00 AM in Current Affairs, EHR, EHR products, EHR Risks, Health Reform, Leadership, Legal/Compliance, Safe EMR Use | | Comments (0) | TrackBack (0)

| | | | | |

October 09, 2012

Dangerous Precedent Set To Financially Penalize Doctors Who Fail to Influence Patient Behavior

I strongly oppose use of quality measures that incentivize or penalize physicians based on their ability to influence patient actions when those actions are beyond reasonable control of physicians or if there is no evidence linking such actions to improvements in patient outcomes.    That is why I believe there is a dangerous precedent being set in the Stage 2 electronic health record (EHR) incentive payment rule which will penalize physicians if they fail to influence patient behavior in a manner desired by the Centers for Medicare &  Medicaid Services (CMS).    

Two of the 17 Stage 2 core objectives hold physicians accountable for ensuring that their patients use technology at home.   One measure requires at least 5% of unique patients seen during the reporting period to send a secure message to the physician's practice using the electronic messaging function of the EHR.   A second measure requires at least 5% of unique patients seen during the reporting period electronically view, download or transmit their health information.   

In order to qualify for Medicare and/or Medicaid EHR incentive payments and avoid financial penalties, physicians must meet all 17 core measures as well as three from a menu of six additional measures.    Physicians must also report on nine of a total of 64 specific clinical quality measures.  Physicians who fail to do so by 2015 will not only fail to receive annual EHR incentive payments, but also be penalized by CMS through annual payment adjustments. 

In the final rule for the Stage 2 EHR Incentive Program CMS responded to public comments on these two new core objectives. CMS argued that physicians are in a unique position to strongly influence the use of technologies by patients "to improve their own care."    They did acknowledge a potential barrier of limited broadband internet access that could impact some physician practices and patients.   So in the final rule CMS lowered the threshold from 10% to 5% and added an exclusion for practices that are impacted by limited broadband access.   CMS summarized their response with, "We believe that this lower threshold, combined with the broadband exclusion detailed in the response, will allow all EPs (eligible physicians) to meet the measure of this objective."

I can agree with CMS that physicians should leverage the influence we have on patient behaviors as part of the care we provide.   We certainly are in a unique position to help patients become more engaged in and compliant with their healthcare.   I even agree with CMS that the lower thresholds should not be difficult to meet and that it is important for physicians to offer these technologies for patients to use.    

My key point of contention with CMS is with the presumption that use of these specific technologies at home allows patients to "improve their own care".    If use of these technologies were objectively linked to improved patient outcomes, I could understand the value in financially incentivizing physicians to move patients in that direction.   Without such evidence the government's relationship with physicians would be better served through a more tactful approach to promote the use of promising technologies by patients without the strong-armed threat of financial penalties on doctors. 

CMS misses the point on this one.    Precedent should not be set to penalize physicians based on measures of their ability to engineer desired patient behaviors when those behaviors are not objectively linked to improved patient outcomes.   I am not saying that we should not offer these technologies to our patients.    I am saying that we should promote their use and then study how that use impacts the quality of care

 

 

Posted at 07:00 AM in Current Affairs, EHR, Incentive Payments, Meaningful Use | | Comments (0) | TrackBack (0)

| | | | | |

August 25, 2012

CMS Decision on ICD-10 Spurns Optional Path to ICD-11 Without Comparing Value

 

"The decision to mandate ICD-10 for covered entities has already been made."  

This response in the ICD-10 final rule published last Friday by the Department of Health and Human Services (HHS) bluntly spurns the option of foregoing ICD-10 to implement ICD-11.   HHS predictably argues that the considerable investments already made by healthcare organizations into ICD-10, the years of rulemaking with previous analyses of ICD-10 value/costs and the "uncertainties" over the timeline and value of ICD-11 all justify a decision to eliminate ICD-11 as an option.  

I am disappointed that HHS made no estimates on the comparative value of ICD-10 to ICD-11.   Instead of comparing the total cost of proceeding with ICD-10 and then implementing ICD-11 to the total cost of foregoing ICD-10 to implement ICD-11, HHS candidly explains that "we do not participate in this debate in this rule, except to say that we are convinced of the benefit of ICD-10 to health care delivery in this country."  There clearly was no intent to revisit a previous decision to implement ICD-10, even though there is an opportunity to gather and analyze new information to assure we make an informed decision on the optimal pathway to an inevitable ICD-11 implementation. 

The final rule dismisses the call from several commenters on the proposed rule for an analysis of the total costs of the two pathways to an ICD-11 implementation.   One argument made against such an analysis is that the "the disruption and costs of transitioning to ICD-11 are highly unlikely to be less those of transitioning to ICD-10."  I agree that each individual implementation may have comparable costs, but that does not compare the cost of the two pathways which are: 

  1. Implement ICD-10, then implement ICD-11 (two complete implementations)
  2. Forego ICD-10 to implement ICD-11 (one implementation + sunken ICD-10 investments)

What is the comparable cost of each pathway? A comparison of the cost and benefits could have a significant impact on the decision.  Let's learn from this for next time. 

By the way, there will soon be a next time.  I fear that this decision locks the U.S. into another cycle of the same-- using a diagnosis coding system that rapidly becomes archaic and leads to another decade of desperate efforts into the 2030s to upgrade after the rest of the world has already transitioned to ICD-11.

I also fear that that the burden will be excessive on healthcare organizations in 2014 to implement ICD-10 and meet the 2014 Stage 2 Meaningful Use requirements which were both announced by CMS this week.   This burden will be greatest on the small, individual physician practices are already throttled by meaningful use, 5010, e-prescribing and healthcare reform.  They are struggling to find the time and resources for the ICD-10 effort. Since the EHR Incentive Program has a specified timeline under ARRA, I believe this excessive burden is likely to trigger another delay of ICD-10, at least for small physician practices.  

Will we be left wondering why we didn't just stop investing in ICD-10 back in 2012?

Posted at 11:59 AM in ARRA/Stimulus Funds, Current Affairs, EHR, Health Reform, ICD coding, Legal/Compliance, Meaningful Use | | Comments (0) | TrackBack (0)

| | | | | |

June 01, 2012

New Texas Privacy Law Increases Physician Liability Including Heftier Enforcement Penalties

As discussed in my post "New Texas Privacy Law Increases Privacy Protections and Physician Cyber Liability Risks", House Bill 300 (HB 300) strengthens protection of patients' electronic health information in Texas beyond HIPAA and becomes effective on September 1, 2012.   In a series of weekly blogs I am writing to illustrate how these stronger patient protections increase physicians' cyber liability.  Consider this case history:

An unencrypted USB drive used to store PHI could not be found in the office.   It contained data on 1,105 patients including names, diagnosis codes and Social Security numbers.   The physician subsequently notified all affected individuals and local media, added technical safeguards of encryption for all PHI stored on mobile devices, added physical safeguards by keeping new portable devices locked in a secure combination safe in doctor’s private office when not in use and added administrative safeguards including annual privacy training of staff. 

For breaches affecting >500 individuals HIPAA requires physicians to notify not only the affected individuals, but also local media outlets and the Department of Health and Human Services (HHS) who then posts breach information on their website.    However, if the PHI was encrypted, then it is not considered to be a violation and no notification is required.    The privacy violation in this case would have been avoided by either encrypting the thumb drive (a technology-based prevention strategy) or by not downloading PHI to a mobile device (an employee training-based prevention strategy).   

HB 300 privacy protections are enforced through penalties, disciplinary actions and audits that are intended to deter breaches.   Several factors are considered when determining the consequences of a breach including the seriousness of violation, compliance history, harm done to individuals and efforts made to correct violations.  Civil penalties may be assessed for each violation up to:

  • $5,000 if committed negligently
  • $25,000 if committed knowingly or intentionally
  • $250,000 if committed intentionally and PHI is used for financial gain
  • $1.5 million if a “pattern of practice” found

Physicians should also consider purchasing cyber liability insurance (or increasing current liability limits) and consulting with their Regional Extension Center, such as the North Texas Regional Extension Center (NTREC), about assistance with security risk analysis and management.

cook children

Posted at 07:30 AM in Current Affairs, EHR, EHR Risks, Legal/Compliance, REC, Safe EMR Use | | Comments (0) | TrackBack (0)

| | | | | |

May 23, 2012

Texas Privacy Laws Provide Patients Stronger Rights to Access Electronic Health Record Than HIPAA

As discussed in my post "New Texas Privacy Law Increases Privacy Protections and Physician Cyber Liability Risks", Texas House Bill 300 (HB 300) strengthens protection of patients' electronic health information in Texas beyond HIPAA and becomes effective on September 1, 2012.  Through a series of blogs I am illustrating a variety of these new protections. Today we contrast a patient's right to access their electronic health record (EHR) under HIPAA against HB 300 requirements in Texas. Case history:

A patient alleged that a physician failed to provide him access to his electronic medical record within 30 days of a written request as required by HIPAA. After the Office of Civil Rights (OCR) notified the physician of this allegation, he provided the records but charged the patient a $100.00 “administrative fee” because the patient was delinquent on bills. HIPAA permits only a reasonable cost-based fee (copying and postage) with an explanation or summary if agreed to by the individual. To resolve this matter, the physician refunded the $100.

When state and federal privacy laws diverge, the more protective law prevails.  In Texas HB 300 combined with other state laws are more protective than HIPAA such as with a patient’s right to access their electronic health records (EHRs). HB 300 mandates physicians who use EHRs to provide patients the requested record in electronic form not later than 15 business days after receiving a written request unless there is an allowable exception.   The EHR may be provided in another format if the physician’s EHR is incapable of producing an electronic copy or if agreed upon by the patient in advance.  Physicians in Texas should align with HB 300 by revising policies on patient access to their EHR and updating their Privacy Notice as needed.

Physicians should also consider purchasing cyber liability insurance (or increasing current liability limits) and consulting with their Regional Extension Center, such as the North Texas Regional Extension Center (NTREC), about assistance with security risk analysis and management.

More on other HB 300 provisions next week...

cook children's

Posted at 08:30 AM in Current Affairs, EHR, EHR Risks, Legal/Compliance, Privacy and Security, REC, Safe EMR Use | | Comments (0) | TrackBack (0)

| | | | | |

May 17, 2012

CMS prematurely dismisses the alternative option to forgo ICD-10 and implement ICD-11

In their proposed rule to delay ICD-10, CMS prematurely dismisses (in three short sentences) the alternative option to forgo ICD-10 completely and implement ICD-11 instead.    I am very concerned that this  dismissal is published  without a comparative analysis of the total costs of each option.   And there is good reason to seriously consider implementing ICD-11. 

In a recent Health Affairs report  the authors express concerns that adopting ICD-10 for reimbursement will be disruptive and costly with little material improvement over the current system.  These informatics experts fall short of suggesting we forgo ICD-10 for ICD-11, but they do recommend that policymakers begin planning now to facilitate a tolerable transition to ICD-11.   We should recognize that this article was not an appropriate platform for the authors to make a political statement to forgo ICD-10.   In addition, more information is needed before making such a recommendation:

  1. What is the earliest date by which the U.S. could implement ICD-11?  CMS suggests that it could be as early as 2020-2022.  What could be done to possibly accelerate that date?
  2. What is the earliest date we could implement ICD-11 if we implement ICD-10 first?  Historical data suggests 2028 is the earliest, but some informatics experts suggest it will be after 2030.
  3. What is the estimated total cost to complete the ICD-10 implementation, then convert to ICD-11?
  4. What is the total cost of stopping the ICD-10 implementation today and proceeding with ICD-11, including the sunken costs of work already done on ICD-10?
  5. What value will ICD-11 provide over ICD-10?
  6. How does the total cost to the industry for using ICD-9 codes another 5-7 years (while ICD-11 is implemented) compare to the total cost to the industry for using ICD-10 codes instead of ICD-11 for 13 or more years after ICD-10 is implemented?
  7. What additional burden will be imposed on physicians and small hospitals by requiring two code system conversions over the next 15 years?  What are the capital costs physicians and small hospitals will incur under both pathways? 
  8. What other potential impacts could there be on physicians and small hospitals?   Will it drive an increasing number of physicians into early retirement?   Will some small hospitals be forced to close?   Will it drive a decision by increasing number of physicians to convert to a concierge or cash-only practices?  

These and other potential impacts have not been fully assessed by CMS.   Implementing ICD-10 has been compared to buying a Betamax instead of a VHS recorder in terms of pending obsolescence.   Informatics experts are in agreement that ICD-11 is superior to ICD-10 and that we need to get to it as soon as is tolerable.   Perhaps the optimal pathway to ICD-11 really is through the ICD-10, but we need a more comprehensive analysis to make a better-informed decision.   Let’s put on the table the total costs and impact of both pathways and then decide.

You may read here my entire public comment as submitted to CMS on the proposed rule to delay ICD-10 for one year.

Posted at 10:00 AM in Current Affairs, Health Reform, Leadership | | Comments (2) | TrackBack (0)

| | | | | |

May 16, 2012

New Texas Privacy Law Increases Employee Training Requirements in Physician Practices

As discussed in my post "New Texas Privacy Law Increases Privacy Protections and Physician Cyber Liability Risks", House Bill 300 (HB 300) strengthens protection of patients' electronic health information in Texas beyond HIPAA and becomes effective on September 1, 2012.   I am concerned that their may be low levels of awareness at this time among Texas physicians regarding the new privacy provisions.  For example, one of the new requirements impacts employee privacy training policies for the physician practice.   As an illustration, consider this case history:

A laptop computer was stolen or lost from the reception desk area possibly after a cleaning crew had left the main door to the building open.   An employee had previously used the laptop to download information that included protected health information (PHI) on 67 patients seen that week.   Following the breach the practice notified all affected individuals, added technical safeguards of encryption for PHI stored on mobile computers, added physical safeguards by keeping all portable devices locked in a cabinet of a locked storage room when not in use and required re-training of all employees on privacy and security policies including immediate training for the cleaning staff.

Many breaches of PHI are avoidable if employees are trained on privacy/security  and remain vigilant when managing PHI.    In Texas HB 300 protects not only PHI as defined by HIPAA, but also “sensitive personal information (SPI)” as defined by the Texas Identity Theft Protection Act.   HB 300 requires all employees who will encounter PHI or SPI to undergo privacy training that is tailored to the employee’s specific responsibilities and types of contact with PHI.    New employees must be trained within 60 days of hiring, and training must be repeated at least once every two years.    A log must be maintained with employee signatures verifying their attendance.    Physicians can prepare by updating employee training policies and materials.

Physicians should also consider purchasing cyber liability insurance (or increasing current liability limits) and consulting with their Regional Extension Center, such as the North Texas Regional Extension Center (NTREC), about assistance with security risk analysis and management.

More on other HB 300 provisions next week...

cook children's

Posted at 08:30 AM in Current Affairs, EHR, EHR Risks, Legal/Compliance, Privacy and Security, REC, Safe EMR Use | | Comments (0) | TrackBack (0)

| | | | | |

May 09, 2012

New Texas Privacy Law Places More Accountability on Business Associates of Physician Practices

As discussed in my post "New Texas Privacy Law Increases Privacy Protections and Physician Cyber Liability Risks", House Bill 300 (HB 300) strengthens protection of patients' electronic health information in Texas beyond HIPAA and becomes effective on September 1, 2012.   In a series of weekly blogs I am writing to illustrate some of the new protections.   I think that the most important change imposed by HB 300 is the increased accountability placed on business associates of a physician practice to adhere to the state privacy laws.  Consider this case history:

A physician practice was notified by one of their business associates (BA), a medical transcription service, that dictated patient reports were viewable on the Internet by anyone after the BA’s server was compromised.  The breach involved PHI of 1.085 individuals.  In response, the practice immediately terminated the business associate agreement (BAA) with this company and engaged another medical transcription service.  The practice contracted with forensic consultants to ensure that the cause of the compromise was found and all online traces of breached reports were removed.

HB 300 holds accountable any business in Texas that comes into contact with PHI.   This means that BAs of physician practices are accountable to HB 300 protections and HIPAA unless they have no contact with PHI.   Physicians should revise their BAAs to include language compelling BAs to comply with state and federal privacy laws.  Matters to address in a BAA include:   

  • Immediate notification to practice when BA discovers breach
  • Who notifies affected individuals?  Who bears the cost?
  • Contract termination for failure to comply with law or take "reasonable" steps to fix breach
  • BA ‘s compliance with performing security risk analysis at least annually
  • BA’s compliance with employee privacy training
  • Encryption of PHI on BA’s mobile devices or exchanged online; and other circumstances where PHI is at high risk

Physicians should also consider purchasing cyber liability insurance (or increasing current liability limits) and consulting with their Regional Extension Center, such as the North Texas Regional Extension Center (NTREC), about assistance with security risk analysis and management.

More on other HB 300 provisions next week...

cook children's

Posted at 08:30 AM in Current Affairs, EHR, EHR Risks, Legal/Compliance, Privacy and Security, REC, Safe EMR Use | | Comments (0) | TrackBack (0)

| | | | | |

Next »

Categories

Search

Recent Posts

Twitter Updates

    follow me on Twitter

    Archives

    More...

    Enter your email address:

    Delivered by FeedBurner

    Bookmark and Share

    *

    *

    *