If you haven’t heard about HIPAA yet, you probably have been living under a rock.  If you ask most people about HIPAA, patients and practice staff alike, you will probably get responses back concerning the privacy and protection of health information.  Most practices have implemented the basic required steps to protect patient privacy.  Two of the most common requirements include HIPAA privacy notices that patients are required to sign, and publicly available HIPAA privacy policies.  However, as more and more practices are moving towards electronic health records systems (EHRs), there is a more complex side of HIPAA that many small, midsize and even large practices may not have focused on – the HIPAA Security Rule.

I plan on future articles that go into the HIPAA Security Rule much more in-depth but for now let’s look at the Security Rule at a high level.  The HIPAA Security Rule requires that practices put in place policies and procedures to ensure that electronic protected health information (EPHI) is properly protected.   A good comparison regarding EPHI between the HIPAA Privacy Rule and the Security Rule is stated in the Centers for Medicare & Medicaid Services (CMS) Security 101 for Covered Entities:

Electronic vs. oral and paper: It is important to note that the Privacy Rule applies to all forms of patients’ protected health information, whether electronic, written, or oral. In contrast, the Security Rule covers only protected health information that is in electronic form. This includes EPHI that is created, received, maintained or transmitted. For example, EPHI may be transmitted over the Internet, stored on a computer, a CD, a disk, magnetic tape, or other related means. The Security Rule does not cover PHI that is transmitted or stored on paper or provided orally.

There are three main parts of the HIPAA Security Rule as defined by CMS for small providers:

1. Administrative Safeguards – These provisions are defined in the Security Rule as the “administrative actions, policies, and procedures to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.”
2. Physical Safeguards – These provisions are defined as the “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”
3. Technical Safeguards – These provisions are defined as the “technology and the policy and procedures that protect electronic protected health information and control access to it (the EPHI).”

As I mentioned, I plan on drilling down into each of the main parts of the Security Rule.  For a very good overview from CMS, take a look at the Security Standards: Implementation for the Small Provider document.  The document goes into further detail of each of the three parts and provides questions and examples to help you better understand the concepts and principles.

The American Medical Association (AMA) along with 95 other physician organizations and associations (including including state, education and medical societies) have written a letter to the Centers for Medicare & Medicaid Service (CMS) with their comments regarding meaningful use and the EHR incentive program.  The 37 page letter outlines where the organizations agree and disagree with the proposed definition of meaningful use and it’s direct correlation to the EHR incentive payments.  To summarize the entire letter would be a lengthy process so I will pick out sections that caught my eye.

The overall message to CMS was that the proposed meaningful use requirements to achieve the initial stimulus payments are too aggressive and the cost to achieve them will deter physicians from participating in the EHR incentive program.

Physicians are deeply supportive of and committed to incorporating well-developed EHRs into their practices to improve quality of care delivery, enhance patient safety, as well as support practice efficiencies. To facilitate this transition, we want to ensure that there is widespread adoption and meaningful use of EHRs by physicians. We do, however, feel strongly that the Stage 1 criteria proposed by CMS for achieving meaningful use of EHRs is too aggressive and if adopted, will deter many physicians from participating in the Medicare and Medicaid incentive programs. This runs counter to the intent of ARRA, which clearly indicated that demonstrating meaningful use should progress over time.

The organizations are concerned about the impact on smaller physician groups.  They also are concerned with the high failure rates of EHR adoption.

The vast majority of physicians practices are comprised of five or fewer physicians.  Encouraging physician adoption of health IT, especially small physician practices, is critical to ensuring widespread EHR use. Studies of EHR adoption clearly show that it takes more time for smaller practices to adopt and implement EHRs because they have fewer resources and support. Aggressive timelines and criteria during the initial stage of the incentive program will only serve to undermine this effort. Some government officials have relayed that complex measures and high reporting thresholds are needed to discourage EPs from switching back to the use of paper during this transition to EHRs.  We are very troubled by this assertion. Physicians are deeply supportive of and  committed to incorporating well-developed EHRs into their practices to improve quality of care delivery, enhance patient safety, as well as support practice efficiencies. It is also very unlikely that after physicians make a significant up front investment in health IT and changes to their workflow that they will revert back to manual processes. We believe that the larger concern should be deterring the purchasing of costly EHR products that fail to improve physician workflow, patient care, and practice needs. Industry experts have cited that such failures have adversely affected EHR adoption rates ranging from 50 to 80 percent.

The letter goes on to suggest that the requirements for Stage 1 meaningful use should be spilt over the first two years.

We strongly agree with CMS’ proposal for establishing a staged approach to achieving “meaningful use” of EHRs. In this way, eligible professionals (EPs) are provided a predictable pathway, enabling them to plan, including consideration of practice workflow changes, and to engage in critical discussions with EHR vendors regarding functionalities. To support this, we strongly recommend that the focus of Stage 1 for the health IT functionality measures be on data entry (e.g., problem list, medication list) and structured data (e.g., enable EHR functionality for drug-drug, drug-allergy, drug 4 formulary checks). If achieved consistently and accurately, a more seamless use and reporting of quality measures will result. Therefore, we believe Stage 1 should be redefined and the proposed criteria should be segmented into two years to provide more flexibility on functionality measures and selection/awareness of quality measures

The letter addresses each of the 25 meaningful use objectives and describes where the organizations agree and disagree with the proposed objectives.  In my opinion it seems that the message to CMS is that they support the objectives but would like to see Stage 1 objectives scaled back.  The big push should be to get providers to implement EHRs and start using them, without strict requirements, to achieve the stimulus payments.  The organizations recognize that it is costly to implement EHRs and use them in meaningful ways.  It is costly to interface them with other systems including lab results, insurance providers, other EHRs.  And it is costly to support the new technology that is required.  Physician practices need to believe that the meaningful use objectives are realistic and that they are able to meet them.  Furthermore, they need to feel that they will be able to obtain the stimulus incentives to offset the costs of EHR adoption.  I feel the letter correctly addresses a lot of the issues that physician practices, both small and large, will face as they begin implementing EHRs.  It will be interesting to see what CMS does with the organizations’ recommendations.

The letter can be found on the AMA website.

Mary Pat Whaley over at Manage My Practice offers some useful tips for patient customer service.  This is a follow-up to her article on 50 Ways to Attract New Patients to Your Practice.

Some of her tips are easy common sense ideas such as:

Introduce yourself to patients. “Hi, I’m Jane and I am Dr. Smith’s assistant and I’ll be working with you today.”

Providers should always shake hands with patients and others in the exam room.  That first touch is so important!

Send your patients a birthday card.

I especially like some of her technology and social networking tips to improve customer service:

Have multiple ways for patients to complete their registration information – forms mailed to them, online completion, completion in the practice at a computer kiosk, completion at the practice with personal help, or pre-registration by phone.  

Invite patients to become a friend of the practice on Facebook and communicate regularly with your patients keeping them up-to-date on practice news, health news and local events. 

Send patients emails or letters and post on your website any information relating to hot topics in the news – vaccines, radiation exposure, etc.  

Have computers in the waiting area for patients to use. Have Wifi for patients to use their own computers while waiting.  Have instructions available for using the Internet to look up medical information and provide a written list of medical websites that your providers recommend.  Place this information on your website.  

Use your EMR or voice recognition to complete the patient’s medical record and print them a copy of it to take with them when they leave the exam room.  

Make your website a one-stop destination for practice information, health information, practice forms and secure messaging with the practice.