MANAGED SERVICE PROVIDERS: MANAGED IT: NEW LAWS AFFECTING THE MEDICAL INDUSTRY AND THEIR DATA
Part 1 of 5 in a series
Let’s face it, health care reform is going to come to the US because without it our economy will be crippled, and the cost of healthcare will amount to 50% of the federal budget within the next 50 years. Part of the reason for the growing cost of health care, just slightly ahead of the cost associated with treating an uninsured patient, is the practice of defensive medicine. Roughly 20 to 50 percent of the medical tests that make up the bill, paid or not paid by an insurance company, are unnecessary; ordered by your doctor as an active defense against litigation for failing to take a certain course of action.
Without a doubt there will be some change to medical malpractice laws that bring relief to the medical profession, and allow doctors to get down to the business of practicing medicine again. But don’t breath too deep a sigh of relief yet, as the sharks will turn their attention to another prey in the water. This time it’s going to fall squarely in the lap of the medical or hospital IT department.
The fact is currently, data in a patient file does not belong to the practice, it belongs to the patient, as such, each office is expected to provide adequate protection against its loss, such as theft, and other misuses. As the Federal government moves into fully implementing Health Information Technology, all medical practitioners can expect the way they do business to radically change. The law is clear as to what must be done and it is equally clear what each practice or business can expect, if not in compliance.
Why the call to alarm? Who among us has not heard of cases of data theft concerning personal financial information from large companies that should of known better leaving the average guy on the street thinking, “even I know better not to do that?” How many times have you heard of a laptop being stolen or misplaced that contained sensitive information like social security numbers, or credit card information left unencrypted? What about the stories of large firms having their security breached by hackers only to have their entire client database stolen? These occurrences are all too familiar in the digital age, and they are about to become common place horror stories on your local evening news.
Imagine if you will a story about a top of the line plastic surgeon being plastered all over the web along with videos and pictures of their clients before and after photo’s after that office’s network was breached by hackers, and of course the data that resided on those systems was not encrypted. What titillation magazine would not pay an exorbitant sum for highly confidential information pertaining to the latest medical procedure some hot celebrity had undergone. All of this provided by, you guessed it, a disgruntled employee.
HIPPA has had its regulatory enforcement teeth since April 14th, 2003 when it was allowed to begin imposing penalties for those medical institutions and providers not in compliance. Some of the new things any practice or hospital will find themselves faced with, are the following:
-Review the access employees have to protected information and determine the “minimum necessary” access
- Develop specific policies and procedures regarding the HIPAA requirements.
- Provide training for current and all future employees on those policies and procedures.
- Appoint a privacy officer to monitor the practice’s HIPAA compliance.
- Provide a “Notice of Privacy Practices” to all patients.
- Obtain HIPAA-compliant agreements with all business associates
- Get a signed Authorization every time patient information is released per request of a client
But as I said earlier the data in those medical records belongs to patients so doctors also have to be concerned with and implement procedures and policies that provide the following privileges to patients:
- Access to their medical information including providing copies at the patients request
- Ability to make amendments to their records
- Record of any and all disclosures made of their medical information for any use other than treatment, payment and firm operations
Of course the list of changes is much larger than the sampling of examples given here. If you think that is egregious, then wait until you hear about the penalties for not being in compliance. The penalties can be severe, indeed severe enough to close down your once thriving practice or make a once venerable county hospital have to shutter its doors.
Fines in HIPPA can range from $100 to a maximum of $25,000 per violation. If you get caught in complete wanton misuse of patient data the fine can go up to $250,000 per violation, plus jail time. Let’s take for example the relatively innocuous oversight of not placing a notification in some patient’s file about the release of their data. In some cases, it may be a courier that picked up a backup tape of data to store in an offsite secure location. While not a backup scenario I would advocate there are still some businesses and medical practices that use methods like this. Under HIPPA law each time that disk is picked up by a courier (or FedEx, UPS, USPS) a record or trail must exist about this process. Failure to provide notification to your patients about this could easily result in a $100 fine per patient, per incident violation. So a practice with 1500 patients with 50% who were not notified of this backup process a practice could face a fine of $75,000 from that one simple violation alone.
You might be thinking, how on earth could the Feds find out about something like this? Well, falling under the scrutiny of a HIPPA audit is a lot easier than you think, and unlike the IRS which has been reigned in by congress, there are no plans to do so for HIPPA. In fact the American public will desire such zealousness in the safeguard of such highly personal data. HIPPA audits can be initiated easily with a phone call from a disgruntled employee or even patients who have a bone to pick with you or your institution for whatever reason. From this, you can almost expect a knock on your door from an HIPPA auditor!
While this is only strict compliances enforced by the Feds, it’s those private sharks in the water posing the real dangers. Failure to comply with proper protection of patient data will be open game in the blood sport of litigation. For now the waters are calm without enough chum in the water to draw enough sharks, both Federal and private, to the wound. Recent federal audits show estimates on the adoption of EMR (Electronic Medical Record) Technology by physicians in 2009 at 4% with an office that has fully implemented EMR, and only 17% with basic compliance. The hospitals numbers are even worse with only 2% having a full implementation of the technology with just 8% of them having some basic implementation of the technology.
What all of this means is that in the next few years, hospitals and medical practices, ranging from dentists, physical therapists, nutritionists, and medical practices, etc. will be rushing to implement an Electronic Medical Record solution for their office and many of them will be doing so in a haphazard manner, due to money being the driving force. Incentive payments to eligible covered entities will begin in 2011 for those that can prove a meaningful use of certified EMR Technology. In order to show this meaningful use statistic, proof has to be given to the feds. Such technology must be implemented and in use by 2010 in order to meet the criteria and receive the first years incentive payments. Incentive payments are largest in the first year (2011) creating yet another sense of urgency for these practices.
Having a certified EMR solution is just one area of the HIPPA compliance. Forthcoming will be a series of articles that take an in depth look these compliances such as:
Your Office, Your Staff, Patient Data and the Compliance Equilibrium.
Disaster Recovery: No longer “Dirty Words”.
Patients: Access to their Data.
What to look for in an EMR Solution, Beyond the Obvious.