You have to admit that now is a very interesting time to be in the healthcare field.  This year we saw a $1 Trillion healthcare reform bill get passed.  I don’t believe that anyone has a real understanding of the impact of the bill or its affects on medical practices.  It seems every day more details are revealed of the bill.  It will take years before we see the total impact.

Then you have the ARRA stimulus package which provides $19 Billion in Medicare incentives to doctors that embrace the use of certified EHRs.  This is a huge opportunity for medical practices to implement technology and move from paper charts to EHRs.  But along with the incentives come some significant obstacles.  Medical practices have to use a certified EHR but there is no definition of what that means or who the exact certifying bodies are.  As of today you can not purchase an EHR that is certified and will qualify for the stimulus funds.  Practices not only have to implement certified EHRs but they have to use them in a way that shows “meaningful use”.  Of course the exact rules for meaningful use are not known and many argue that the rules that are being proposed are too rigid and the bar is too high for practices to actually show meaningful use.  Taken altogether, you  have a lot of medical practices that want to cash in on the ARRA stimulus incentives and to implement an EHR but you have uncertainty and obstacles that are keeping them on the sideline.  They are taking the wait and see approach.  Some are even thinking that it may not be worth the effort to attempt to participate in the ARRA stimulus incentives.

One thing for certain is that the medical practices that are moving forward with an EHR implementation are spending a lot of money.  There is no way around it, EHRs are expensive.  The cost of the software, hardware, network, training, staff disruption and all of the other components that go into an EHR implementation all add up.  Of course the hope would be that the costs would be offset by the ARRA stimulus incentives but that is not a guarantee as I mentioned before.

At the same time you have all this uncertainty around healthcare reform and ARRA stimulus, medical practices have to contend with two major economic issues.  The first is the severe recession that we have been in since 2008.  There is no way around it, when the economy is suffering all business including medical practices suffer as well.  I hear from my clients that patient visits are down and that waiting rooms are less filled.  This has a significant and real impact on a medical practice’s cash flow and financial health.  The second economic issue is the proposed cut of 21% in Medicare payments to physicians.  For at least 6 months the looming threat of a 21% cut in Medicare payments have darkened the economic sky for medical practices.  Congress has postponed the cuts several times but have not permanently addressed the situation.  As of today, the 21% cut has been pushed back until November 30, 2010.  Along with postponing the Medicare cut, Congress has given doctors a 2.2% increase until November.  Very few medical practices are rejoicing because in December 2010 they are looking at a 23% cut in Medicare payments followed up by a 30% cut in January 2011.  No one really knows what or when the final outcome will be.

On top of major financial outlays to implement EHRs and the uncertainty surrounding the economy and Medicare reimbursements, medical practices have to deal with many government regulations.  As I have written about often, the looming threat of HIPAA Security Audits are a real concern for medical practices.  Implementing HIPAA Security usually require skill sets that medical practices don’t have.  IT security companies are needed to help with policies and procedures, vulnerability and risk assessments along with implementing new technologies such as email and laptop encryption.  On top of HIPAA Security, medical practices face the “Red Flags Rule”  requiring that certain entities develop and implement written identity theft prevention and detection programs to protect consumers from identity theft.  The Red Flags Rule has been postponed several times and was to go into affect June 1, 2010.  As of now the FTC has agreed to keep physicians exempt from the rule until the outcome of a lawsuit by the American Bar Association.  Once again, the outcome of this regulation is unknown.

When you look at each of the issues a medical practice has to address from healthcare reform to Medicare reimbursement cuts they don’t seem to bad.  Each one taken separately allows a medical practice to address the issue and to make modifications to they way they run their business.  But unfortunately all of the issues are happening at the same time.  A medical practice has to address all of the issues together including major financial outlays, cuts in revenue caused by several factors,  and staying abreast and implementing the latest government regulations.  All the time spent addressing these issues is time not spent on seeing and treating patients.

Have other  industries gone through such dramatic change in such a short period of time?  The changes provide opportunities along with real negative affects.  Medical practices need to be flexible and to adjust to all of these changes.  Some of the changes such as the Red Flags Rule may never occur.  But either way a medical practice needs to be prepared, need to be informed and need to be ready to change their business model to adjust to such dramatic changes.  Strange days indeed.

If you haven’t heard about HIPAA yet, you probably have been living under a rock.  If you ask most people about HIPAA, patients and practice staff alike, you will probably get responses back concerning the privacy and protection of health information.  Most practices have implemented the basic required steps to protect patient privacy.  Two of the most common requirements include HIPAA privacy notices that patients are required to sign, and publicly available HIPAA privacy policies.  However, as more and more practices are moving towards electronic health records systems (EHRs), there is a more complex side of HIPAA that many small, midsize and even large practices may not have focused on – the HIPAA Security Rule.

I plan on future articles that go into the HIPAA Security Rule much more in-depth but for now let’s look at the Security Rule at a high level.  The HIPAA Security Rule requires that practices put in place policies and procedures to ensure that electronic protected health information (EPHI) is properly protected.   A good comparison regarding EPHI between the HIPAA Privacy Rule and the Security Rule is stated in the Centers for Medicare & Medicaid Services (CMS) Security 101 for Covered Entities:

Electronic vs. oral and paper: It is important to note that the Privacy Rule applies to all forms of patients’ protected health information, whether electronic, written, or oral. In contrast, the Security Rule covers only protected health information that is in electronic form. This includes EPHI that is created, received, maintained or transmitted. For example, EPHI may be transmitted over the Internet, stored on a computer, a CD, a disk, magnetic tape, or other related means. The Security Rule does not cover PHI that is transmitted or stored on paper or provided orally.

There are three main parts of the HIPAA Security Rule as defined by CMS for small providers:

1. Administrative Safeguards – These provisions are defined in the Security Rule as the “administrative actions, policies, and procedures to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.”
2. Physical Safeguards – These provisions are defined as the “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”
3. Technical Safeguards – These provisions are defined as the “technology and the policy and procedures that protect electronic protected health information and control access to it (the EPHI).”

As I mentioned, I plan on drilling down into each of the main parts of the Security Rule.  For a very good overview from CMS, take a look at the Security Standards: Implementation for the Small Provider document.  The document goes into further detail of each of the three parts and provides questions and examples to help you better understand the concepts and principles.

The American Medical Association (AMA) along with 95 other physician organizations and associations (including including state, education and medical societies) have written a letter to the Centers for Medicare & Medicaid Service (CMS) with their comments regarding meaningful use and the EHR incentive program.  The 37 page letter outlines where the organizations agree and disagree with the proposed definition of meaningful use and it’s direct correlation to the EHR incentive payments.  To summarize the entire letter would be a lengthy process so I will pick out sections that caught my eye.

The overall message to CMS was that the proposed meaningful use requirements to achieve the initial stimulus payments are too aggressive and the cost to achieve them will deter physicians from participating in the EHR incentive program.

Physicians are deeply supportive of and committed to incorporating well-developed EHRs into their practices to improve quality of care delivery, enhance patient safety, as well as support practice efficiencies. To facilitate this transition, we want to ensure that there is widespread adoption and meaningful use of EHRs by physicians. We do, however, feel strongly that the Stage 1 criteria proposed by CMS for achieving meaningful use of EHRs is too aggressive and if adopted, will deter many physicians from participating in the Medicare and Medicaid incentive programs. This runs counter to the intent of ARRA, which clearly indicated that demonstrating meaningful use should progress over time.

The organizations are concerned about the impact on smaller physician groups.  They also are concerned with the high failure rates of EHR adoption.

The vast majority of physicians practices are comprised of five or fewer physicians.  Encouraging physician adoption of health IT, especially small physician practices, is critical to ensuring widespread EHR use. Studies of EHR adoption clearly show that it takes more time for smaller practices to adopt and implement EHRs because they have fewer resources and support. Aggressive timelines and criteria during the initial stage of the incentive program will only serve to undermine this effort. Some government officials have relayed that complex measures and high reporting thresholds are needed to discourage EPs from switching back to the use of paper during this transition to EHRs.  We are very troubled by this assertion. Physicians are deeply supportive of and  committed to incorporating well-developed EHRs into their practices to improve quality of care delivery, enhance patient safety, as well as support practice efficiencies. It is also very unlikely that after physicians make a significant up front investment in health IT and changes to their workflow that they will revert back to manual processes. We believe that the larger concern should be deterring the purchasing of costly EHR products that fail to improve physician workflow, patient care, and practice needs. Industry experts have cited that such failures have adversely affected EHR adoption rates ranging from 50 to 80 percent.

The letter goes on to suggest that the requirements for Stage 1 meaningful use should be spilt over the first two years.

We strongly agree with CMS’ proposal for establishing a staged approach to achieving “meaningful use” of EHRs. In this way, eligible professionals (EPs) are provided a predictable pathway, enabling them to plan, including consideration of practice workflow changes, and to engage in critical discussions with EHR vendors regarding functionalities. To support this, we strongly recommend that the focus of Stage 1 for the health IT functionality measures be on data entry (e.g., problem list, medication list) and structured data (e.g., enable EHR functionality for drug-drug, drug-allergy, drug 4 formulary checks). If achieved consistently and accurately, a more seamless use and reporting of quality measures will result. Therefore, we believe Stage 1 should be redefined and the proposed criteria should be segmented into two years to provide more flexibility on functionality measures and selection/awareness of quality measures

The letter addresses each of the 25 meaningful use objectives and describes where the organizations agree and disagree with the proposed objectives.  In my opinion it seems that the message to CMS is that they support the objectives but would like to see Stage 1 objectives scaled back.  The big push should be to get providers to implement EHRs and start using them, without strict requirements, to achieve the stimulus payments.  The organizations recognize that it is costly to implement EHRs and use them in meaningful ways.  It is costly to interface them with other systems including lab results, insurance providers, other EHRs.  And it is costly to support the new technology that is required.  Physician practices need to believe that the meaningful use objectives are realistic and that they are able to meet them.  Furthermore, they need to feel that they will be able to obtain the stimulus incentives to offset the costs of EHR adoption.  I feel the letter correctly addresses a lot of the issues that physician practices, both small and large, will face as they begin implementing EHRs.  It will be interesting to see what CMS does with the organizations’ recommendations.

The letter can be found on the AMA website.