There is a story over at FierceHealthIT that summarizes a healthcare security study commissioned by Kroll Fraud Solutions, Nashville, Tenn.  The study concluded that healthcare organizations take security seriously but may have a false sense of how secure thier organization really is.

Reasons for this may be that organizations continue to view security in silos. Some 87 percent of respondents said they have policies to monitor access to and sharing of electronic health information, but most of the reported breaches had more to do with carelessness than technology–stolen laptops and back-up tapes, as well as improper document disposal.

 

The white paper, commissioned by Nashville, Tenn.-based Kroll Fraud Solutions, says respondents gave their organizations high marks–an average of 6 on a scale of 1 to 7–for compliance with HIPAA, state security laws, CMS regulations and the Federal Trade Commission’s “Red Flags” rule for identity theft, and a score of 5.75 for compliance with new security requirements of the HITECH Act portion of the American Recovery and Reinvestment Act. Despite these high ratings, 19 percent of organizations reported having a data breach in the past 12 months, up from 13 percent in 2008.

The first steps to ensuring that your practice is secure it taking security seriously. It is important to write security policies and procedures. But security is not about going down a list of to-do items and checking each one off. Security is about ingraining best practices into your everyday workflow. Unfortunately security at times gets in the way of how we normally perform our jobs. Security requires a few extra steps at times. You might have to encrypt the file that you are working on before copying it to a USB drive or you may have to send a patient an encrypted email rather than just a standard email. Each one of these actions required a few extra steps but you made sure that the data was secure and protected. 

Security also cost money. There is no way around it. In order to ensure that your data is protected and secure and especially to comply with the HIPAA Security Rule, you have to invest in security technology. Patients want to communicate more and more by email, you will have to eventually invest in email encryption to safely and securely communicate with patients. Data is more and more portable and you have to put in the proper technology to protect it. Portable data can be on laptops, tablets, USB drives, smartphones, etc. Each one of these devices can leave your office and could potentially be lost or stolen. Implementing encryption technology is essential to protecting the data. Unfortunately you may have to implement one or more encryption technologies that are appropriate for each device. 

Security cost money in ways you may not think about. Proper security requires that employees have unique user ids and passwords and only have access to the information that they have been granted access. But how do you know if someone is trying to access information that they are not allowed to access? How do you know if someone has hacked through your firewall and is accessing your EMR? Your servers should be setup to log important events that occur on them such as logons, logoffs, invalid password attempts, successful data access, unsuccessfully data access, etc. These server log files can become huge and there is so much information that it is almost impossible to understand what is happening on the servers. You will either have to invest in technology that goes through the server logs and notifies you if some security event is occurring or you will have to invest in an outside IT company to monitor your log files. Either way it is probably not an expense that you have considered. 

Computer networks are constantly changing. There are new programs being added, program updates being applied and security patches being downloaded and applied. Every change to the network has the potential of opening up a hole that someone could find and exploit to access your data. A security best practice is to periodically have a network penetration and vulnerability scan performed on your network. These scans are usually done by outside IT consultants that are very familiar with network security. The network penetration scan tries to access your network from outside of your office. This could be through the Internet, phone lines, wireless access points, etc. The scan looks for holes in your network security that someone could access. The holes could be created by an improperly configured firewall or by having unnecessary services running on the network that could be accessed. Without the network penetration test you would probably have no idea that these security holes existed. The network vulnerability scan looks for security holes on your internal network. Vulnerabilities could be identified by your vendors such as Microsoft or your EMR vendor. The vendors put out security patches that address the security vulnerabilities. A vulnerability scan will check to make sure that the appropriate security patches for your network have been applied. The end result of both the network penetration and vulnerability scan should be a comprehensive report on any issues that have been identified and the recommended steps to address the issues. 

The other big piece of security is training your staff to perform their job functions in a safe and secure manner that protects patient data. It is important to go over the polices and procedures with employees but it is even more important for them to understand the benefits of security. When you start implementing better network security your will be making changes that will directly affect your employees. They need to understand why passwords need to be 8 characters and changed every 60 days (for example). They need to understand why data must be encrypted if it is leaving your network. The good news is that employees already understand security. They understand the need for safe transactions when they are buying something from amazon.com. Training should take what they already understand and apply it to patient information. The bad news is that network security means change. Many employees don’t like change and they like doing things they way they are used to. 

As you can see, security is a challenge for any medical practice. It requires a few extra steps to perform a job function in a secure manner. Security has costs that are both obvious and are hidden. Security means change and change can have a direct impact on your staff. The purpose of this article was not to scare you away from security but to shed some light on what you will be getting into as you implement better network security that protects your patients’ data.

Every medical practice faces a similar issue; getting paid for services performed for patients.  Some practices have made medical billing a core component of their business.  They have a group of medical billers who are usually heads down, medical billing specialist.  The group manages the entire billing process and watches the accounts receivable like a hawk.  Other practices want no part of having the medical billing function in house and are happy to outsource it to a company that specializes in medical billing.  The questions to be asked; is there a right or wrong decision to be made and how do you make the decision?

Chris Thorman over at Software Advice gives a very good analysis of the costs to an typical 3 physician practice.  He compares the cost of in-house vs outsourcing medical billing.  Here is an overview of his cost analysis:

Cost Analysis
For many practices, the outsourcing decision boils down to one factor: cost.

To help compare the costs of in-house billing versus outsourced billing, we’ve created a hypothetical, three-physician practice. To arrive at these numbers, we’ve used what we believe to be industry averages. Here are the characteristics of this practice:

Three primary care physicians;

Two medical billing specialists;

80 insurance claims filed per day (~20,000 per year);

$125 billed per claim on average (~$2,500,000 per year); and,

We assume that the billing service has a high collection rate on claims.

So, how much does each billing approach cost? Take a look at the annual costs:

	In-House	Outsourced
Billing department costs	$118,000	$4,000
Software and hardware costs	$7,500	$500
Direct claim processing costs	$3,600	$122,500
Software and hardware costs	$5,500	$2,000
% of billings collected	60%	70%
Collections	$1,370,900	$1,623,000
Collections costs	$129,100	$127,000
Collections, net of costs	$1,241,800	$1,496,000

Chris goes on to justify this cost analysis by discussing the cost assumptions.  Click here for the complete analysis.  Based on Chris’ analysis he determined that collections would be higher for the the practice if they choose to outsource the medical billing function.

Today, companies and medical practices have the ability to outsource many functions that are required to run the business.  You can outsource your payroll, human resources, computer support, etc.  In each decision to outsource you have to ask yourself the questions; is this function core to my business and can I do a better job at it than outsourcing to a company that specializes in this function? 

I have seen practices that are really good at medical billing.  They have made billing a core function of the practice and have gotten the function to a well greased machine.  I have also seen practices with constant turnover in the medical billing department and have heard about the pain associated with the turnover. 

My advice is to make sure you know what you are getting into.  If you choose to keep medical billing in-house then you need to understand the costs, hardware/software/network dependencies, training requirements and staffing requirements.  If you choose to outsource you need to understand the costs, the functions your staff will still have to perform, the service level and the agreed upon expectations you have of the medical billing company.

Do you have a success or horror story related to medical billing?  Are there other factors that need to be considered when making the decision?  Feel free to share your thoughts.

In the age of the Internet and search engines, you want to get your practice noticed on the web.  But there is one place that you don’t ever want to see your practice’s name and that is the U.S. Department of Health & Human Services’ (HHS) HITECH breach website. 

http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/postedbreaches.html

The site is for HIPAA / HITECH violations affecting 500 or more individuals.

Breaches Affecting 500 or More Individuals

As required by section 13402(e)(4) of the HITECH Act, the Secretary must post a list of breaches of unsecured protected health information affecting 500 or more individuals. The following breaches have been reported to the Secretary.

The list contains:

• the name of the entity (organization, corporation, practice, clinic, etc.)
• the state where the entity is located
• the approximate number of individuals affected
• the date of the breach
• the type of breach (theft, loss, unauthorized access, hacking/IT incident, incorrect mailing, misdirected e-mail, phishing scam, etc.)
• the location of breached information (i.e. laptop, hard drive, mailing, e-mail, etc.)

I mentioned in this post about Blue Cross Blue Shield of Tennessee having 57 hard drives stolen from a training center.  Each of the hard drives contained personal information about subscribers.  In conjunction with the data breach, they are now listed on the HHS breach website.

Blue Cross Blue Shield of Tennessee
State:	Tennessee
Approx. # of Individuals Affected:	500,000
Date of Breach:	10/02/09
Type of Breach:	Theft
Location of Breached Information:	Hard Drives

Let’s take a step back and look at the other breach notification requirements to comply with the HITECH Act.  The HHS website states that a covered entity must do the following in the event of a breach of unsecured protected health information:

Breach Notification Requirements

Following a breach of unsecured protected health information covered entities must provide notification of the breach to affected individuals, the Secretary, and, in certain circumstances, to the media.  In addition, business associates must notify covered entities that a breach has occurred.

• Individual Notice

Covered entities must notify affected individuals following the discovery of a breach of unsecured protected health information.  Covered entities must provide this individual notice in written form by first-class mail, or alternatively, by e-mail if the affected individual has agreed to receive such notices electronically.  If the covered entity has insufficient or out-of-date contact information for 10 or more individuals, the covered entity must provide substitute individual notice by either posting the notice on the home page of its web site or by providing the notice in major print or broadcast media where the affected individuals likely reside.  If the covered entity has insufficient or out-of-date contact information for fewer than 10 individuals, the covered entity may provide substitute notice by an alternative form of written, telephone, or other means.   

These individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include, to the extent possible, a description of the breach, a description of the types of information that were involved in the breach, the steps affected individuals should take to protect themselves from potential harm, a brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches, as well as contact information for the covered entity.  Additionally, for substitute notice provided via web posting or major print or broadcast media, the notification must include a toll-free number for individuals to contact the covered entity to determine if their protected health information was involved in the breach.

• Media Notice

Covered entities that experience a breach affecting more than 500 residents of a State or jurisdiction are, in addition to notifying the affected individuals, required to provide notice to prominent media outlets serving the State or jurisdiction.  Covered entities will likely provide this notification in the form of a press release to appropriate media outlets serving the affected area.  Like individual notice, this media notification must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include the same information required for the individual notice.

• Notice to the Secretary

In addition to notifying affected individuals and the media (where appropriate), covered entities must notify the Secretary of breaches of unsecured protected health information.  Covered entities will notify the Secretary by visiting the HHS web site and filling out and electronically submitting a breach report form.  If a breach affects 500 or more individuals, covered entities must notify the Secretary without unreasonable delay and in no case later than 60 days following a breach.  If, however, a breach affects fewer than 500 individuals, the covered entity may notify the Secretary of such breaches on an annual basis.  Reports of breaches affecting fewer than 500 individuals are due to the Secretary no later than 60 days after the end of the calendar year in which the breaches occurred.

• Notification by a Business Associate

If a breach of unsecured protected health information occurs at or by a business associate, the business associate must notify the covered entity following the discovery of the breach.  A business associate must provide notice to the covered entity without unreasonable delay and no later than 60 days from the discovery of the breach.  To the extent possible, the business associate should provide the covered entity with the identification of each individual affected by the breach as well as any information required to be provided by the covered entity in its notification to affected individuals.

 As you can see, the HITECH Act has put some stiff requirements into breach notifications concerning unsecured protected health information.  My advice is to make sure your HIPAA policies and procedures are up to date,  your staff is trained and you do everything possible to avoid a data breach.  You don’t want to end up on the HHS “wall of shame”.

A break-in at a Mall has cost BlueCross BlueShield of Tennessee $7 million and counting. As noted in this Newsweek article:

On Oct. 2, someone stole 57 hard drives from a closet at the health insurance company’s training center in Chattanooga’s Eastgate Town Center mall. The drives contained recordings of more than 1 million customer support calls, totalling 50,000 hours of conversation. There were also 300,000 screen shots, showing what BlueCross representatives had on their computer monitors at the time some of the calls were made.

In most of the calls, subscribers provided their BlueCross ID number, name and date of birth — not enough information for criminals to pull off an identity theft scam. But in some calls, Medicare subscribers provided what’s known as a Health Insurance Claim (HIC) number, which contains the subscriber’s Social Security number. Many of the screen shots also include Social Security numbers, and that information can be used in identity theft.

An attorney from BlueCross said in a letter to the Maryland attorney general that the data on the hard drives were encoded but not encrypted.  Encrypted data would need the passcode or key to decrypt /unencrypt and read the data.

Over the past five months, the company has employed a small army of workers to sort through the aftermath of what has proved to be a large and complex breach. Late last year, BlueCross and forensics company Kroll OnTrack employed 500 full-time workers and 300 part-time employees, working in two shifts, six days a week, to piece together what happened

So for the past five months, BlueCross has been sorting out which of its 3 million customers to notify of the breach. “Unfortunately, after checking with numerous vendors throughout the country, an electronic solution could not be formulated, and a largely manual review of audio and video files has been necessary,” BlueCross said in the letter, dated Dec. 16.

“We made the decision that there is really no substitute for actually manually going through it and looking at the video screens or listening to the audio,” said Roy Vaughn, a BlueCross BlueShield of Tennessee spokesman. “It has to be reviewed.”

The costs keep tallying up:

The process has cost more than US$7 million so far, and it will be several months more before the notification effort is concluded, Vaughn said.

The HITECH Act requires media and regulatory notifications.  In the letter to the Maryland attorney general they mention:

The HITECH Act requires that we provide media notice to any jurisdiction where over 500 members may reside; therefore, we are also notifying all Attorneys General in these states so they may also be aware of our activities and could address questions they may receive from our members who reside in their states

A few points to think about regarding this incident are:

1. This did not occur at the BlueCross headquarters but at a rented location.  So no matter how much they secured their offices and network, a HIPAA security breach still occurred.
2. Data that leaves your headquarters, office or building that is on a laptop, desktop, USB drive, smartphone, etc and that is not encrypted is a liability waiting to happen. 
3. HIPAA and HITECH data breaches can be extremely costly not only from a HIPAA fine perspective but from the manpower and wasted productivity required to react to the data breach.

The need to uniquely identify patients in a practice management or EHR system is critical.  This is especially true in light of a well publicized incident with the Veterans Association (VA) and the Department of Defense. 

VA officials first discovered problems with the data exchange late last month when a VA clinician found a record in AHLTA (Defense Department’s AHLTA EMR)  indicating that a female patient had been prescribed a drug for erectile dysfunction. NextGov reports that the clinician’s query actually had returned the record of another patient. “The VA clinician may see the patient’s data during one session, but another session may not display the data previously seen,” the VA alert explains. “This problem occurs intermittently and has been reported when querying DoD laboratory, pharmacy and radiology reports.”

There has been a lot of discussion on using biometrics such as fingerprints, palm readers, etc to uniquely identify patients.  But now there is a new technology that can read the iris of a patient’s eye.  Like fingerprints, the iris provides a unique identifier.  The eye scanner does not require any physical contact with the patient.

For a clinic in Bronx, NY where they have many of the same patient names and many without SSNs, the iris reader provided a perfect solution.  As reported in this CNN article:

With a heavily Hispanic client base, where some of their 37,000 patients speak limited English and only a few provide Social Security numbers, the clinic encountered cases of mistaken identities.

It had 50 Maria Hernandezes, 66 Maria Gonzaleses, 55 Jose Gonzalezes, 83 Carmen Rodriguezes and 103 Jose Rodriguezes, according to the clinic.

The clinic photographed its patients, but that was imprecise. De Leon didn’t want to use fingerprints, because some patients associated that with the police and crime. He didn’t want to use palm readers that required physical contact because that would easily spread germs. So he set his sights on iris scanners; it didn’t require touching and didn’t carry the negative connotations.

The company that makes the iris scanner is Eye Controls.  Evan Smith, Eye Controls’ chief executive officer says this about his technology:

“The acceptable error rate is zero, because we’re talking about people’s lives here. People can get hurt and die”

The iris, which is the colored ring of the eye, is unique for every human being. The company tested the iris scanner with simulated IDs and found zero errors in 8 million transactions.

For more information read the FierceHealthIT story

I read a post by Bob Coffield over at the Health Care Law Blog about issues with mobile devices and the potential for patient privacy issues.  The post discusses an incident where hospital employees took pictures of a shark attack victim in the emergency room and emailed them to other people.

Bob goes on to express concern that mobile devices with cameras and social media increase the potential for patient privacy issues.

As such, this incident provides a good example for training and reeducating health care employees on patient privacy issues. Health care employees and professionals must always remember to start from a framework of protecting the health and privacy of their patients. As the use of mobile devices with cameras and social media tools becomes more ingrained in our every day lives — the ability for private information to be captured, transferred and spread in a viral fashion has become much easier. Caution must be used and this case highlights the importance of retraining staff and highlighting the importance of protecting your patient’s privacy.

Hospitals and medical practices have to add cameras, facebook updates, tweets, and other social media to the list of items to address when providing HIPAA privacy education.

Mary Pat Whaley over at Manage My Practice offers some useful tips for patient customer service.  This is a follow-up to her article on 50 Ways to Attract New Patients to Your Practice.

Some of her tips are easy common sense ideas such as:

Introduce yourself to patients. “Hi, I’m Jane and I am Dr. Smith’s assistant and I’ll be working with you today.”

Providers should always shake hands with patients and others in the exam room.  That first touch is so important!

Send your patients a birthday card.

I especially like some of her technology and social networking tips to improve customer service:

Have multiple ways for patients to complete their registration information – forms mailed to them, online completion, completion in the practice at a computer kiosk, completion at the practice with personal help, or pre-registration by phone.  

Invite patients to become a friend of the practice on Facebook and communicate regularly with your patients keeping them up-to-date on practice news, health news and local events. 

Send patients emails or letters and post on your website any information relating to hot topics in the news – vaccines, radiation exposure, etc.  

Have computers in the waiting area for patients to use. Have Wifi for patients to use their own computers while waiting.  Have instructions available for using the Internet to look up medical information and provide a written list of medical websites that your providers recommend.  Place this information on your website.  

Use your EMR or voice recognition to complete the patient’s medical record and print them a copy of it to take with them when they leave the exam room.  

Make your website a one-stop destination for practice information, health information, practice forms and secure messaging with the practice. 

Many of my clients specialize in reproductive medicine.  So when I came across a post,  about an ovulation calendar, on the Medicine and Technology blog, I thought it may be of interest.

There is a new Apple iPhone application that helps with ovulation tracking. 

The iPhone Ovulation Calendar  is personalized and based on daily information from the date of the last period and Luteal Phase.  The application will use the information the woman inputs from the day of the last period, and the average length of a menstrual cycle and the Luteal Phase.  Combining all the information together, the application formulates a monthly calendar which can be instrumental for those couples trying to conceive.

The complete post can be found here.

The Medical Group Management Association (MGMA) has an interesting study on the benefits of electronic registration.  In January, 2009 the MGMA launched an initiative call SwipeIT.

Project SwipeIT is an industry wide initiative launched by the Medical Group Management Association (MGMA) in January 2009 to advance the adoption of standardized patient health-insurance identification (ID) cards containing machine-readable information.

The concept is that the insurance providers will issue patient health-insurance ID cards that contain patient information including demographics, health plan information, co-pays, etc.  The cards will act and function like a credit card.  Each medical practice, hospital, clinic will need to have a card reader that can process the information on the card.  The card reader can then be linked to a practice’s EMR or practice management system which will populate the patient demographic and insurance fields automatically.  The whole process is referred to as electronic registration.

The MGMA study takes a look at the costs of non-electronic registration and calculates the savings that can be realized by implementing electronic registration.  There are enough numbers and calculations in the study to make your head spin but I will highlight a few statistics that are eye opening.

Model Assumptions and Raw Inputs	Values
Number of claims per year for physician professional services	1,160,542,000
Hours saved per year during registration process by implementing electronic registration	95,280,498
Dollars saved per year during registration process by implementing electronic registration	$1,931,753,287
Number of claims per year that must be resubmitted due to payer denial due to incorrect patient demographics from non-electronic registration	57,168,299
Hours per year to resubmit claims denied due to payer denial due to incorrect patient demographics from non‐electronic registration	14,292,075
Dollars saved per year by not having to resubmit claims denied due to payer denial due to incorrect patient demographics from non-electronic registration	$289,762,993
Total savings due to implementing electronic registration (dollars per year)	$2,221,516,280

The MGMA estimates that $2.2 billion per year can be saved by implementing electronic registration.  It should be noted that the study does not estimate the cost to implement the electronic registration including the cost to insurance providers to issue the card, practices and hospitals to purchase and install card readers, EMR and practice management vendors to modify their software to interface with the card readers, etc.  I suspect that a good part of the initial $2.2 billion in savings would go to the implementation costs.  The savings on-going would still be significant.

The MGMA also studied the impact on a typical 6 FTE physician practiced and published their results.  They took conservative and non-conservative estimates on the impact of electronic registration.  The difference in the estimates are described as:

A conservative estimate where only 10% of patients have their insurance cards copied, presumably because of changes in their information.

The non-conservative estimate is where:

(a practice) copies the patient’s insurance card on each visit. This practice may also have a much larger proportion of patients whose information needs updating.

The highlights of the study are listed below:

Conservative estimate	Time
Time saved by Swipe card	7 h/ day	1820 h/ year
Non-conservative estimate
Time saved by Swipe card	23h45m/day	6175h/year

If these numbers are accurate, the need for front desk personnel could be reduced and savings could be realized at a practice.

Electronic registration is an industry wide initiative.  All stakeholders including insurance providers, EMR vendors, medical practices and hospitals would all need to be involved and implement the appropriate technologies.  Until then, the savings highlighted in these studies are only theoretical.

Econo-Keys makes a washable keyboard that is very well suited for exam rooms, operating rooms, etc. 

Econo-Keys states the following about their keyboards:

Econo-Keys specializes in economical keyboards that are sealed and completely washable to withstand daily scrubdowns with anti-bacterial agents, enabling them to meet and exceed any hygienic protocol and reduce the spread of infectious bacteria such as MRSA, E. Coli and Hepatitis C.

The company says it protects against:

Splashing, hose-directed and submerged water

Bleach, alcohol and hospital-grade disinfectants

Corrosive, abrasive, acidic and alkaline substances

Dirt, dust, sand and other airborne debris

Extreme temperatures

John Lynn over at EMR and HIPAA has a video of the product from the Healthcare Information and Management Systems Society (HIMSS) exhibit floor of the Econo-Keys keyboard in action.