Although a data breach only needs to be reported for healthcare organizations if financial harm results, it is irresponsible for a healthcare organization to ignore a breach of their customer’s private health information.  If the health information can be tied in any way to the individual, ethical responsibility to your customer should motivate reporting of the data breach and notification to the proper authorities.

For official reporting to the U.S. Department of Health & Human services, there are two different reporting groups.  For data breach of under 500 individuals and for any breach greater than 500.  Many healthcare providers are hesitant to report the data breach officially to HHS as the new requirements under the HITECH Act also state that a breach over 500 individuals will be posted on the HHS website.  It seems virtually impossible that no data breach has occurred yet there are no organizations reported on the HHS website that I have found yet. As seen here

Reporting a breach to HHS is relatively simple as it is an online form that does not require much technical knowledge or submission of any technical data or proof of the breach.  Network Forensics can be extremely complicated for the novice user and the breach will most certainly be physically obvious for most of the initial cases reported until healthcare data security is audited more carefully than it is today.  See the form for reporting a notice to the Secretary of HHS here.

It is also a good idea to report any security incident even if it is not required by the terms set forth by the HHS to the US-CERT.  Incidents reported here are inclusive of just more than a breach causing financial harm and should be completed even if a computer virus outbreak is detected at a provider.  The reporting form at the US-CERT is also simple to complete and does not require any major technical forensics knowledge.  To see the form for reporting general network and data incidents to US-CERT click here.

As for notification to your patients, unless financial harm is shown, HIPAA does not require healthcare organizations to report the incident to the individuals, but should you?  Most definitely!  Most states already have reporting requirements for data breaches of personally identifiable information and it is simply the responsible and ethical choice for any provider wishing to maintain any level of trust with their patients and clients.  To see a sample letter written by the FTC for notification of a data breach, visit their website.

AMENDMENT:  Since this was written, the HHS website now has posted providers they are aware of where more than 500 records were breached.

A provisional rule announced by Congress will only force health care providers to notify patients of breaches to customer data only if the breach “poses a significant risk of financial, reputational, or other harm to the individual.”  How will the risk factors be determined?  Will existing state laws on data breaches provide protection where the federal government falls short?  Who is the real threat to your electronic health record?

In a poll sponsored by RSA of 400 top level executives, 52% described the majority of their data losses as accidental.  Many of the reported data losses were due to inappropriate access by the wrong people.  This data supports a problem that internal controls of access and control of data is the largest  issue facing our healthcare providers in protecting our patient data.    According to the Data Loss Open Security Foundation, 12% of all data losses are medical related.  With the push to a national electronic healthcare technology infrastructure, that number is surely to increase over the next five years.  Most consumers appreciate notification of these negligent data breaches.  Perhaps even assign a healthcare provider rating based on the breaches to better inform consumers of the most secure and trustworthy healthcare providers.

Hospital and insurance representatives argue that notification costs would be too high if every breach was reported.  Examples for routine breaches of handling data include statements sent to wrong addresses and improper employee access but when your health information is part of this routine error in handling would you want to know?  Consumers should be asking “why is my health information mishandled so often?”  Proper investment in security and access controls should limit risk and subsequently the cost of data breaches.  The arguments provided by hospital and insurance representatives seem best used as evidence of gross negligence not an argument limiting notifications to patients.

But do you have any legal protection?  Many states have already passed laws that would include a breach of patient health data in the state mandated reporting requirements of an improper access or loss of data but new federal rulings could preempt those state laws where your medical record is concerned.  Negligent security requirements mandated for protection of electronic health records at the federal level will not sufficiently protect your records with the current requirements and restrictions.  With federal laws regarding reporting on health care data breaches most likely winning out over state mandated reporting requirements, it appears the corporate lobbyists are exposing the nation to public electronic health records rather than private electronic health records and you may never even know when your record is breached.

Write your state and federal Congressmen and let them know your concerns for the protection and privacy of your health records.  While network security should never be overlooked, the majority of data breaches occur inside an organization.  Increased controls and requirements for handling patient health records is needed to sufficiently protect your private and personal information.  As with too many points of privacy and security with the electronic health records, there are too many unanswered questions and undefined points of protection.

Leyden, John. Incompetence a bigger IT security threat than malign insiders.

(2009) : Internet. http://www.theregister.co.uk/2009/08/25/rsa_accidental_security_breach_survey/

November 15, 2009.

Schwartz, Emma. Health Industry Winning Round On Privacy of Digital Health

Records. (2009) : Internet. http://www.huffingtonpost.com/2009/11/13/health-industry-winning-r_n_357476.html

November 15, 2009.

State-by-State Listing of Data Loss and Freedom of Information Legislation

(2005-2009) : Internet. http://datalossdb.org/us_states

November 14, 2009.

Data Loss Statistics.

(2005-2009) : Internet. http://datalossdb.org/statistics

November 14, 2009.

There are a lot of questions and confusion around how to calculate the stimulus incentive payments that I hope to clear up in this post. My calculator on this site uses the most common method for calculating the Medicare payments but I will also explain the calculation for Medicaid.

Medicare
The first thing to do is figure out an estimate of your Medicare submitted allowable charges per patient. The Act does state that Medicare submitted allowable charges will be multiplied by 75% to figure out your annual incentive payments but there is some debate that this number may end up being the Medicare actual submitted charges multiplied by 75% which would be a lower number. A physician wanting to receive the full first year payment of $18,000 would need to submit allowable charges to Medicare of at least $24,000 to receive the full amount for first year’s payment. If you submit $18,000 for allowable charges then your payment would be $13,500. Each year the cap reduces so you can figure out your total incentive per physician by adding up the max expected stimulus for each of the years.

Items to note
Physicians operating in a “provider shortage area” will be able to increase their cap of 10%. Additionally, physicians operating entirely in a hospital environment are not eligible for these stimulus funds as the hospitals have a different calculation for the stimulus funds they are eligible to receive.

Calculating total Medicare
To calculate your total incentive payment per physician for each year, simply use the following equation:
x= Average number of patients per MD per day
y= % of patients who are Medicare
z= Average submitted allowable per Medicare patient
a= Working days per year for the physician

(.75(a(z(y*x))))= Eligible Medicare submitted allowable charges

If this number is larger than the cap for each year (above table) then take the max allowable for each year and add it up for the total incentive per physician. If it is less, than use the number calculated above.

Medicaid
Calculating Medicaid payments is much more simple and provides a greater payment up front than the Medicare incentive package. Reasoning behind this is to encourage more physicians to accept Medicaid patients, but the requirements may seem to stiff for most physicians.

Medicaid stimulus calculations require physicians to see more than 30% of patients paying with Medicaid with the exception of pediatricians only required to see 20%. If your billing meets these requirements then your incentive payments are simple. $35,000 for the first year and $10,000 for subsequent years over the five year period with a total incentive payment of $64,000.

Practice totals
It is important to note that stimulus payments are calculated per physician. If a practice has multiple physicians, then this must be done for each physician and then totaled to figured out the maximum payment for an entire practice. If a practice is able to receive the maximum Medicare amount for 5 physicians, then the total payment would be $220,000 for the entire practice.

How payments are made
Although the basic formulas are available to estimate payments, there has been no official word yet on exactly when and how the payments are going to be made. It is expected that the official process for application, certification of meaningful use for the year and disbursement of payments will be out by the end of September 2009.

One of the main purposes for many of the new regulations in the HITECH Act and the push to increase technology utilization within the health care industry is to save money. If implementation of an EHR increases the amount of time to see a patient, is it saving money? What is the real ROI for the average provider post implementation?

My argument is by no means to stop the push for EHR and other technology improvements to the health care industry. My argument is the current players simply do not have the right EHR system to do the job. The majority of systems do not improve workflow or increase efficiency within an office. These systems definitely improve quality of care and decrease the possibility for human error, but do they actually save time and increase the doctor’s ability to perform timely and cost effective health care.

Technology generally improves a person’s quality of life. User interface design is big business. Other software developers focus on ease of use, number of clicks, user intuitive screen design. Business intelligence, finance, security and other very high tech industries have very efficient and easy to use systems. Health care does not. Health care is 10 years behind the curve.

Where is the EHR system that will anticipate the user’s actions based on previous click and role? Where is the EHR system that reduces the number of clicks compared to a comparable system by half? Where is the EHR that allows a physician to double the number of patients they see?

Why has the health industry historically been so quick to resist movements to jump into the electronic age? Cost barriers? Implementation headaches? Lack of usable solutions? Perhaps all of these items have contributed to the slow adoption of technology within the smaller practices but the software industry has not been helpful in reducing the barriers to entry and educating the end user.

A few weeks ago I was sitting in a seminar hosted by a major health care software development company and listened to a client testimony tell the full room to simply accept that the process of implementing an EHR should be painful and slow for six to eight months. Appalled would be an understatement for my reaction to this testimony but unfortunately it seems to be a consensus for most health care professionals when you start talking about EHR and practice management solutions. This is the fault of the software industry. It is completely unacceptable for a end user to believe that implementation of technology will impede not improve their operations.

My background in software development is not rooted in health care technology but most of my clients would have called security and had me escorted out of the building if I told them my software package was going to be painful to install and not improve business processes post implementation. It is time for the reformation of the health care software industry and impose the standards and requirements the rest of the software development world has apparently been using for years.

More importantly than simply catching up to status quo, I believe that the HITECH stimulus funding will push health care software development to push features and functions beyond the expectations of the end user. Why should the application simply store data? The application should be intuitive and interactive. If ever the software industry had a market for bleeding edge features and functionality, the health care industry is it.

Speech recognition is still very costly for rich functionality. Many EHR systems that offer speech recognition charge $100,000 or more to integrate the module and training the system for each user is yet still another costly burden. Health care IT has an opportunity to push speech recognition to the edge and reduce implementation costs while increasing effectiveness.

Moreover, IT should improve practice management operations and profit margins. Patient evaluations should move more quickly allowing doctors to see more patients without sacrificing care. Systems should automatically notify practice managers when patients are due for checkups or tests based on treatment, diagnosis and lifestyle. Prescription management should have guesswork removed. Systems should auto-interface with other provider records and pharmacy records to aggregate all prescribed medications for a patient so health care providers are better informed.

Providers should remember that anything is possible with software. Be vocal with your requests and ideas and drive development. Write letters to your congressman and women and to HHS. http://www.hhs.gov/feedback.html

With the introduction of the HITECH Act in early 2009, there is a plethora of information and misinformation surfacing for providers.  This article is a simple breakdown of the HITECH Act and what it means to healthcare providers as of today.  It is important to note that few absolutes have been defined by governing organizations including the method of dispersal.

The HITECH Act is part of the American Recovery & Reinvestment Act signed by President Obama on February 17, 2009.  It includes $36 Billion in funds available to physicians and healthcare providers for implementation AND USE of an EHR system that is certified by the standards to be set forth near the end of 2009.

Funding is available for physicians and in rural areas some physician’s assistants and nurse practitioners who have Medicare and Medicaid billings.  Practitioners have two options, incentives through Medicare or Medicaid but not both.

Medicare incentives are based on a percentage of Medicare billings up to $44,000 over five years starting in 2011.  Physicians in a health provider shortage area will be eligible for a 10% increase.

Medicaid incentives are for physicians who see more than 30% of patients paying with Medicaid (20% for pediatricians) and are eligible for up to $64,000 over five years with the majority of the payment during the first year, $35,000, and $10,000 over the next 4 years.

The HITECH Act declares that physicians must not only implement an EHR system, but demonstrate “meaningful use.”  Within the Act, meaningful use is defined in three ways:
-    User of a certified product complete with ePrescribing capability as determined appropriate by the Secretary of HHS
-    The EHR technology is connected for the electronic exchange of PHI
-    Complies with submission of reports on clinical quality measures
It is important to note that the standards for certification have not been released yet so no system is currently certified.  Additionally, it is expected that meaningful use will be more clearly defined in the upcoming months as more documentation is released by CMS.

Key Milestones
-    September 2009: CMS releases process for obtaining incentives
-    December 2009: Standards for certification should be released
-    2011: First payments from HITECH will be issued
-    2014: Demonstration of meaningful use required or penalties begin

In short, the HITECH Act is like many new legislation and requires additional definition by the regulatory and oversight organizations within the government that will distribute funding and enforce policy.  While this act will benefit most physicians financially over the next 5 years tremendously, it is important to stay updated regularly on new mandates and interpretations of the law.

Subscribe to eHRTech.info to stay updated with the latest information and resources for your eHR system.