Looking for a simplified way to keep up with HIPAA? For a limited time, we are making available our "Showing HHS Visible, Demonstrable, Evidence" webinar when you sign up for our FREE monthly newsletter.
Recently, the Digital Business Law Group P.A., Carlos Leyva, Esq., began providing legal assistance to customers of the HIPAA Survival Guide.
OK, so why now?
The HHS Office for Civil Rights (OCR) reports that settlement payments last year were $25.6 million[1]. Subsequently, they are reporting there will be an increase in HIPAA compliance investigations. With resources from settlement fines, OCR believes the industry has had adequate time to develop complete data security policies and procedures. Unfortunately, healthcare organizations are still lagging. But take notice there will be a higher number of investigations by OCR in 2017. That’s more than enough to ruin a good day.
To make matters worse, OCR is not always consistent with its audit process. In some cases, inspections occur over years during which the rules can change. Covered Entities (CEs) and their Business Associates (BAs) must conduct Risk Assessments on a regular basis to ensure compliance. That said, there is no definition of what a ‘regular basis’ means, or what entails a ‘comprehensive Risk Assessment’. They’re not saying HOW to do it, just do it.
Not surprisingly, OCR’s perspective on compliance is “sometimes a matter of judgment on the language in pertinent regulations.[2] ” More funds collected fosters expectations that OCR may increase the number of audits with additional resources funded by received settlements.
[1] Goedert, Joseph. "Why OCR is aggressively enforcing HIPAA compliance." Health Data Management. Source Media, 1 Dec. 2016. Web. 16 Dec. 2016.
[2] Ibid.
The Office of Civil Rights (OCR) has launched Phase 2 of their HIPAA Audit Program, seeking to expand its scrutiny to a much broader array of HIPAA-covered entities and business associates. In Phase 2, OCR will contact Covered Entities (“CE”) and Business Associates (“BA”) to perform desk or onsite audits that comprehensively examine data security practices and compliance with HIPAA privacy and security rules.
Until recently, smaller CE’s have not been a primary focus of OCR attention but now, with this “across-the-board auditing,” CEs and BAs of all sizes will undergo the possibility of HIPAA Audits. This changes the game for those who have ignored the possibility of HIPAA audits in the past. Now, organizations must get their “house in order” to ensure that a Risk Assessment has been performed, Risks are identified, and mitigation policies and procedures, put in place to avoid enforcement actions – many of which can be significant. “HIPAA fines are on the rise and getting larger.”[1] In addition, CEs are required to obtain satisfactory assurances that their BAs are complying with the Security Rule.
Implementing HIPAA compliance begins with a Baseline Risk Assessment that identifies areas in which CEs and BAs have high Risk exposure due to lack of policies, procedures and Security and Privacy Rule compliance. A Risk Assessment is one of the implementation specifications of HIPAA Security Rule—but by far, arguably the most important.
In addition, subsequent Risk Mitigation includes review and implementation of security controls that mitigate identified risks. Possible items may include encryption, employee training, governance of login credentials and security. Moreover, the Security Rule requires documentation for each implementation specification and a written sanction policy. The Privacy Rule requires a log of restriction requests made by patients as well as a log of PHI, access, amendment, and disclosure requests. The Breach Notification Rule requires documentation regarding how the HHS Secretary should be notified in case of a breach. The Omnibus Rule mandated changes to notice of privacy practices and introduced other modifications to the HIPAA Rules. Suffice it to say these regulations are non-trivial. Management must make compliance, their risk assessment and its mitigation efforts, a high priority in addition to ensuring that the right solutions are implemented.
OCR is committed to transparency about the process by posting the updated audit protocols on their website. “The audit protocol will be updated to reflect the HIPAA Omnibus Rulemaking and can be used as a tool by organizations to conduct their own internal self-audits as part of their HIPAA compliance activities.”[2] Gathering an inventory of security objects (i.e. operations, assets, and workforce members) that create, access, maintain and/or transmit PHI, is foundational to Security Rule audit preparation.
Commercial off the shelf products may be helpful to the implementation of the Security Rule’s Safeguards. If a CE or BA is out in the Risk Assessment wilderness with manual reviews or only paper documents and spreadsheets, or no documentation at all, take a look at Expresso’s Risk Assessment software and all of the Risk Mitigation products available at The HIPAA Survival Guide. “Now that the stakes have changed, those who are unwilling or unable to adhere to HIPAA data security rules threaten not just their own businesses, but those of the public, including yours.”[3]
[1] Robertson, Cam. "Why HIPAA Audits Raise the Stakes for MSPs as Well as Providers." Health Data Management. N.p., 06 Oct. 2016. Web. 06 Oct. 2016.
[2] "OCR Launches Phase 2 of HIPAA Audit Program." HHS.gov. HHS Office of the Secretary of Civil Rights, 2016. Web. 06 Oct. 2016.
[3] Robertson, Cam. "Why HIPAA Audits Raise the Stakes for MSPs as Well as Providers." Health Data Management. N.p., 06 Oct. 2016. Web. 06 Oct. 2016.
Where do nurses and doctors find the time to provide care beyond the office walls? Given the fragmented nature of the U.S. healthcare system, healthcare providers have increasingly implemented Care Management programs aimed at coordinating the care patients receive to improve quality, reduce per capita cost and improve access to care. Traditionally, coordination interventions follow from several perspectives: medical versus social; short-term episodic or acute care versus chronic and long-term care; and various points of access to the patient (e.g., patient targeting to find those in need of high-intensity services, managed care organization, or physician office practice).[i]
Care Coordinators (a.k.a. Care Managers) provide outreach to at-risk patients to ensure they receive specialized attention related to needed services. They are a key liaison between the patients and their primary care providers. The general intent is to facilitate delivery of the right health care services in the right order, at the right time, and in the right setting.[ii] Recently, care coordination programs have gained a stronghold where managed care organizations, commercial vendors, academic medical centers, and private health insurers sought to implement mechanisms aimed at controlling costs, improving disease outcomes, quality of care, and patient satisfaction.[iii]
At a high level, a 2000 report, entitled, “Best Practices in Coordinated Care,”[iv] made the following five recommendations for Care Management programs:
Care Management software comes in various shapes and sizes. Many fill the needs of Clinically Integrated Networks of Hospitals, Clinics, and practices; others come in smaller sizes to meet the needs of small practices. One such package is Stone Health Innovation’s Idea Care. Regardless of the size, certain capabilities should be part of the care management software solution as described below.
Care Coordination Components[vi] should include:
Information provided herein serves as development for a working definition that may be a helpful step for others attempting standardization in the area of Care Coordination. Interventions can be demarcated by type that includes not only use of software, but also educational brochures, mailings and member letters, telephonic care management, in-person care management, call centers and self-monitoring devices. Providers may find patient profiling and reports that originate from registries and clinical information systems, electronic medical records, decision support and other electronic communication systems useful. The Agency for Healthcare Quality and Research (AHRQ) published research on care management entitled “Measuring Value in a Care Management Program.“[vii] AHRQ claims that a measurement strategy is critical for determining the value of a Care Management program and to ensure effectiveness in reaching its goals.
[i] McDonald KM, Sundaram V, Bravata DM, et al. Closing the Quality Gap: A Critical Analysis of Quality Improvement Strategies (Vol. 7: Care Coordination). Rockville (MD): Agency for Healthcare Research and Quality (US); 2007 Jun. (Technical Reviews, No. 9.7.) 2, Background: Ongoing Efforts in Care Coordination and Gaps in the Evidence. Available from: http://www.ncbi.nlm.nih.gov/books/NBK44011/
[ii] Ibid.
[iii] Ibid.
[iv] Chen A, Brown R, Archibald N, Aliotta S, Fox PD. Best practices in coordinated care. March 22, 2000 [Accessed: January 30, 2006]; Available from: http://www .cms.hhs.gov /DemoProjectsEvalRpts /downloads/CC_Full_Report.pdf. [Reference list]
[v] Ibid.
[vi] McDonald KM, Sundaram V, Bravata DM, et al. Closing the Quality Gap: A Critical Analysis of Quality Improvement Strategies (Vol. 7: Care Coordination). Rockville (MD): Agency for Healthcare Research and Quality (US); 2007 Jun. (Technical Reviews, No. 9.7.) 3, Table 6: Components of Care Coordination. Available from: http://www.ncbi.nlm.nih.gov/books/NBK44012/
[vii] By Using Structure, Process, and Outcome Measures, a State Can Ensure That It Is Receiving a Complete Picture of Its Program's Value., AHRQ. "Section 7: Measuring Value in a Care Management Program." Agency for Healthcare Research & Quality. U.S. HHS: Agency for Healthcare Research and Quality, 2014. Web. 13 Sept. 2016.
In my first post in this series on Population Health, I stated that EFFECTIVE PATIENT ENGAGEMENT IS ALL THAT MATTERS. There is simply nothing more important than the patient if you are trying to deliver higher quality of care at a lower cost for a population of patients. When clinicians are dealing with many patients they generally do not have the time to effectively educate each individual patient in a manner that may help improve their wellness.
For example, patients with Diabetes require education about exercise and the kinds of foods that are suitable for someone with their condition. Likewise,there is a need to teach all patients, but especially those with comorbidities the importance of staying in compliance with their medications. The list can go on and on. 5-10 minutes with your doctor every three months will never suffice vis-à-vis the kind of information needed to support wellness.
Almost everyone is using the Internet to search for articles on their conditions, however; often they may encounter information that is inaccurate for their specific circumstances. Nurse note here... “It is always best to check with your Doctor or Nurse” – but they may not be available when the patient needs a question answered. Now we have the role of the “care manager” in population health. The healthcare industry recognizes this obvious need but is struggling how to fulfill it.
One thing is certain as we have discussed before, conversations with the patient cannot take place in a multiplicity of places (e.g. patient portals for every specialist). It has to take place in one virtual space or it won’t take place at all. But, how is this possible if every doctor wants to use their own distinct virtual space to communicate? Enter a visionary startup Docola, whose platform allows the conversations to take place in a single virtual space no matter how many clinicians are treating the patient.
Using Docola’s Platform (or something akin to it) the conversation becomes centralized across all care providers. Care coordinators are able to pull the requisite patient information from multiple EHRs and other data sources to effectively educate the patient. In fact, Docola’s Platform is, among other things, a patient education platform. Now clinicians can choose from world-class clinical content publishers the educational courses that have the potential to make an enormous contribution to patient education, while at the same time ensuring that the patient conversation takes place.
The certainty of this approach for patient education is self-evident. The reason that we have not seen this type of system receive widespread success is that the healthcare industry, despite recognizing the need and potential of this type of Platform, is struggling to develop the business model(s) that would make it work. In short, the industry is struggling mightily to remove the shackles placed upon it by Fee-For-Service. However, disruption is coming.
It is not the Internet, or the Internet of Things, or Big Data, or analytics, or a host of other technologies that are foundational to population health that will eventually transform healthcare. These technologies may be necessary, but they are certainly not sufficient. No, what will drive transformation is the way in which the medium will improve conversations that take place between human beings (i.e. between providers and patients). The improved human dialog is the change agent.
We need to insert the patient into the equation. Although this may seem obvious, it is one that the FFS model has ignored for well over 100 years. Everything else was a distant secondary consideration. Why has the patient been left out of the equation? Because unlike almost every other market you can imagine, in healthcare the patient historically was not the entity that paid for the services. Hence, from an economic perspective, the healthcare industry was free to ignore the very people they purportedly served.
Atul Gawande spoke about the need for communication and systems thinking in healthcare. In a TED Talk, he summed it up by saying “We’re all specialists now, even the primary care physicians. Everyone just has a piece of the care. But holding onto that structure, we built around the daring, independence, self-sufficiency of each of those people has become a disaster. We have trained, hired and rewarded physicians to be cowboys. But it’s pit crews that we need, pit crews for patients.”[i]
The very reason that population health is in a state of crisis is that the focus formerly has been on a million and one potential distractions with very little attention paid to how we were going to engage with the patient, and moreover exactly where was this engagement going to take place. A premise of the population health “movement” is that healthcare has to transform its view of the patient from a “clinical thing” to be examined and studied, to a natural person with whom we want to engage in a mutually beneficial dialog.
A few thousand years ago there was a marketplace. Never mind where. Traders returned from far seas with spices, silks, and precious, magical stones. Caravans arrived across burning deserts bringing dates and figs, snakes, parrots, monkeys, strange music, stranger tales. The marketplace was the heart of the city, the kernel, the hub, the omphalos. Like past and future, it stood at the crossroads. People woke early and went there for coffee and vegetables, eggs and wine, for pots and carpets, rings and necklaces, for toys and sweets, for love, for rope, for soap, for wagons and carts, for bleating goats and evil-tempered camels. They went there to look and listen and to marvel, to buy and be amused. But mostly they went to meet each other. And to talk.
Yes, markets contain prominent conversations. The Cluetrain Manifesto[ii] propelled this meme on the world’s stage over fifteen years ago. However, very few people intuitively understand the implications, and fewer still are leveraging the idea, as a way of doing business in healthcare. Enormous opportunities await any organization that finds its voice, and through it learns to have an ongoing conversation with its patients.
Further, patients are eager to have this conversation, as long as it is no more demanding of them then their use of Facebook, or WhatsApp, or Snapchat or whatever social media platform they choose to engage with. Moreover, it is clear that the conversation needs to take place in one virtual space, not hundreds. The idea of patient portals is DOA. Why? Because a patient is not going to visit twenty different portals to engage with all the clinicians (i.e. specialists) that our currently fragmented delivery system mandates.
[i] Gawande, Atul, MD. "Transcript of "How Do We Heal Medicine?"" Atul Gawande: How Do We Heal Medicine? TED Talks, Apr. 2012. Web. 28 Aug. 2016.
[ii] Rick Levine et al., The Cluetrain Manifesto: the end of business as usual (Cambridge: Perseus Publishing, 2000).
A good manager can manage anything right? Take for example Jack Welch (i.e. former CEO of General Electric), who is universally renowned for his management skills. Can you conceive of a business or government project that Jack would not manage effectively? I can. Jack was a good manager, but he probably would have done a poor job of managing The Manhattan Project (responsible for building the first atomic bomb). Why? He was a world-class executive but not a world-class theoretical physicist. He would have had a heck of a time trying to discern a great atomic bomb design from a disastrous one. And even if this feat were remotely possible, we certainly would have lost the war by the time Jack made a reasonable determination.
If you are going to manage, let alone lead, any non-trivial population health initiative (and most trivial ones for that matter), you better be an extremely knowledgeable (i.e. a combination of clinical, healthcare information technology, and managerial expertise) and a respected member of the team. Otherwise, the troops and their respective bosses are going to chew you up and spit you out. Design sessions will turn into popularity contests or position power plays, neither of which is likely to produce great results.
No, Jack Welch, being a world-class chief executive, would have immediately recognized that he was not the right man for the job, and quickly would have gone out and hired the best available talent that money could buy. It seems obvious in this example, but over and over again I have seen individuals put into positions of management or leadership where they have, at best, a rudimentary understanding of the underlying technologies and/or subject matter domain. It is as if charm, good looks, or social graces were enough to get the job done when it comes to leading an inordinately complex population health initiative.
This is not to say that being a technically competent individual with excellent managerial skills is enough either since I have already expounded at length on the importance of leadership. But if you have these skills, at least you are qualified to be in the game!
FOR THE LOVE OF THE GAME
Most people, at the top of their profession, derive some intrinsic value from their work. It is probably one of the reasons they excel in their chosen vocation. Usually, such a calling satisfies significantly more than their financial needs. They derive an extreme sense of satisfaction, and at times, inspiration from the work itself. Ernest Newman noted:
The great composer does not set to work because he is inspired but becomes inspired because he is working. Beethoven, Wagner, Bach and Mozart settled down day after day to the job in hand with as much regularity as an accountant settles down each day to his figures. They didn’t waste time waiting for inspiration.
All the truly exceptional project managers that I have had the pleasure of working with displayed an intense passion for their craft. They got off on the work. Just like exceptional musicians get off on their music. Passion for your craft is a pre-requisite for greatness. If you want to hire the best of the best, learn to look for a certain fire in their bellies and sparkle in their eyes.
THE ECONOMIC UNIT OF VALUE CREATION
Successful projects drive competitive advantage, and in healthcare, the need for competitive advantage is growing day-by-day. The creativity that impacts activities of the value chain yielding marketplace advantages is almost always unleashed within the context of a project. Therefore, it follows that you want to staff your mission critical projects with the best available talent you can find, wherever you can find it.
Mission critical projects should define and guide your employment practices. Much of the talent you would love to hire would probably want to work on your mission critical project, given that you are willing to pay them what they’re worth, however, they may not be as interested in a stewardship role for the next five years, once the project’s objectives have been met.
In other words, there are people who love to continuously create, and there are those that create and then to nurse their creations. One is not necessarily better than the other, but they are different. To be successful, you must learn to recognize individual differences and then hire world-class players for each category. Mission critical projects will only yield sustainable results if you are astute enough to hire the right combination of both.
PAY FOR PERFORMANCE
By now just about everyone understands that lifetime employment, with the same organization, is a thing of the past. It may still happen in a very small number of cases, but the majority of workers (of whatever color collar), either out of necessity or by choice, will wind up working for many employers over their lifetime. Whether they are employed as permanent employees (whatever that means nowadays) or freelance consultants will make little difference.
One thing is certain; top talent will continue to insist on pay for performance at high market rates. They will also be in a position to negotiate more vacation, flexible hours, and anything else that the current market will bear. If organizations insist on playing thefool’s game of squeezing their best talent financially, the moment things turn a little tight economically; they will be rewarded with mass exodus when the economy improves. You reap what you sow.
“Did anybody think it would be just the people who were downsized who would start thinking like free agents? This is capitalism. If you create a free market for anything, including talent, the people with the most value to sell are going to leverage it for everything it’s worth. And that’s what’s happening. The most valuable people are leveraging their talent in the marketplace for everything it’s worth. Success now is defined by the open market, and that means that the sky is the limit. No single organizational hierarchy puts a cap on your potential. Go wherever opportunity takes you. That is the essence of the free-agent mindset.[i]”
Of course, it is prudent to point out that free agency is not without risks. You may have to accept lower market rates and/or less work whenever economic conditions dictate. It is not all upside by any stretch of the imagination. However, even in a bad employment market, free agents tend to have distinct advantages. Since they often have better skills and are economically motivated to keep them honed, they remain aggressive competitors in good markets as well as bad.
[i] Bruce Tulcan, Winning the Talent Wars (New York: W.W. Norton & Company, 2001) 24
