AIS’s Health Business Daily describes a New Jersey pilot program with major insurers that aims to cut provider paperwork and standardize processes.  The goal is to reduce the costs associated with determining patient eligibility and checking claim status

A typical primary care physician spends about $68,000 a year on administrative tasks such as determining patient eligibility and checking claim status. The goal of a 12-month pilot project — announced Feb. 10 — is to show how that problem might be fixed.

The pilot program will work with all the major insurance plans.

New Jersey’s five largest health plans and five physician groups will participate in the initiative, which aims to dramatically reduce administrative costs by allowing hospitals and physicians to communicate with health plans and address administrative tasks through a single Web portal.

“What we’re producing is a one-stop shop, through which physicians and their offices can contact all of the health plans they deal with” through a single Web portal. The participating health plans are Aetna Inc., Independence Blue Cross subsidiary AmeriHealth New Jersey, CIGNA Corp., Horizon Blue Cross Blue Shield and UnitedHealthcare, Inc.

Providers access access insurance information through the NaviNet web portal.

The portal is maintained by NaviNet, a health care information technology company. Several health plans that operate in New Jersey already use NaviNet. Horizon, the state’s largest health plan operator with 3.6 million members, expects to close its independent portal and move to NaviNet in March or April. During the conference call, Christy Bell, Horizon’s senior vice president of health care management, said the pilot is an opportunity for health plans and providers to move closer to standardizing administrative processes.

 Aetna has been using NaviNet’s portal for several years. More than 40% of the health plan’s network providers have access, said Aetna President Mark Bertolini. Along with helping to streamline administrative processes, he said the portal also can be used to improve health outcomes.

Source

There is a very good article over at AIS’s Health Business Daily that discusses HIPAA and HITECH violations.  With the signing of the HITECH Act as part of the ARRA stimulus bill, the penalties for HIPAA violations have increased dramatically.  The HITECH Act has also increased the enforcement of HIPAA regulations.

A privacy breach due to “willful neglect” that was corrected within 30 days and affected 100 individuals, which would have cost an organization $10,000 in prior years, will now cost a minimum of $1 million

Covered entities (CEs) — and also business associates, who are now subject to civil and criminal penalties as of this month — need to know what actions (or lack thereof) can push them into the “willful neglect” category, which carries the most severe fines. They may be surprised to learn that routine inaction or procrastination by busy organizations could be categorized as enormously costly willful neglect.

The interim final rule regarding enforcement, published in the Oct. 30, 2009, Federal Register, uses the same language as the previous enforcement rule, stating: “Willful neglect means conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated.”

Where it gets really interesting is the description of “Willful Neglect”

The most obvious demonstration of willful neglect would be when a covered entity has no preventative policies and procedures in place and a breach occurs. Annulis notes that seven years into HIPAA compliance, it’s unlikely that a CE or BA would have no formal protocol.

Greg Young, the privacy officer at Mammoth Hospital in California, however, believes that many small doctors’ offices and clinics still lack policies and procedures because they “don’t feel it’s necessary or don’t want to spend the money. They just want to take care of their patients, not realizing that part of taking care of patients is taking care of their information.”

If you think that just writing policies and procedures will help avoid willful neglect then read on.

“The greatest danger” for an organization, according to former director of OCR Richard Campanelli, now an attorney with Baker & Daniels LLP, is having policies and procedures that no one is enforcing and that employees are not educated about. “A policy on a shelf is not going to be very helpful — it won’t be helpful in protecting privacy and security, and it won’t be helpful in responding to an investigation,” he says. Once a violation occurs, the fact that the policy exists signals to OCR that the organization knows what it should be doing and has chosen not to comply.

The take away from this article is that you need to have policies and procedures in place for both the HIPAA Privacy and Security rules.  These policies and procedures need to be enforced and communicated to all employees.  I would tend to guess that a lot of practices have policies and procedures in place for the Privacy rule.  Practices will need to develop policies and procedures that comply with the Security rule as well.  This is especially true as practices start to create electronic patient health information (ePHI) through the implementation of an EMR, digital x-rays, electronic lab results, billing information, scanned consent forms, etc. The increased use of technology such as laptops, remote access, email, portable disks and smartphones will also require the appropriate policies and procedures. 

Here is a final thought that might keep you up at night.  Imagine a spreadsheet with financial and demographic information of 250 patients that was saved unencrypted on a laptop.  The laptop was taken home by the billing manager and was stolen out of her car.  Did you have a policy and procedure which prevented her from taking the information?  Was it enforced?  Was it communicated to all employees?  Is this an unfortunate HIPAA violation or is this willful neglect? 

When I was a freshman at Penn State, I landed a summer internship at Merck & Co., Inc.  Within weeks of working there I knew I wanted to be the Chief Information Officer (CIO) of Merck.

A good definition of a CIO can be found at Answers.com.

A company executive who is responsible for the management, implementation and usability of information and computer technologies. The CIO will analyze how these technologies can benefit the company or improve an existing business process and will then integrate a system to realize that benefit or improvement.

My view of a CIO is a person that is responsible for the overall Information Technology (IT) including:

• Hardware (desktops, laptops, network, wide area network, Internet, firewalls, etc.).
• Software (customer relationship management [CRM] systems, accounting systems, manufacturing systems, etc.).
• Security (policies, procedures and technology to implement and enforce security).
• Support of the entire Information Technology.

A CIO must be involved with the selection of new technologies, the implementation of new technologies and must ensure that any new technology is secure and supportable within the company.

Most of the time a CIO is associated with a large enterprise but as the title of this article states, it is my belief that every medical practice should have a CIO.  Just like in large organizations, a medical practice has information technology needs.  As I mentioned in this article, as a practice implements an EMR the size of their network will grow rapidly.

Whether it is a small, midsize or large medical practice, the need for a CIO exists.  The CIO should understand the details, the workflow and the requirements of the practice.  If the practice is at the point of trying to select an EMR, the CIO should be involved in the selection process.  The CIO should understand what the functional requirements of the EMR should be but should also be concerned with the network, security and support requirements.  In addition, the CIO should be involved with the implementation and coordination of the multiple vendors (software, network, training, Internet Service Provider [ISP], lab vendors, digital x-ray vendors, etc.) to successfully implement the EMR.

Once the EMR has been implemented, the CIO will need to ensure that the system is supportable, secure, and reliable.  The CIO will need to be involved if any of the components of the information technology need to be upgraded or new components need to be added.  The CIO must ensure that an upgrade of one component does not negatively impact the functionality of other components.  The CIO will also need to be involved if there is a problem with one of the IT components. The CIO must resolve the unavoidable vendor finger-pointing that occurs when multiple vendors are involved.

A practice will need to ensure that they are compliant with all government regulations including HIPAA and the HITECH Act.  The CIO should be responsible for ensuring that the policies, procedures and proper technologies are implemented for the practice to be in compliance.  The CIO should also be involved with the monitoring and adherence to the security polices and procedures.

After 16 years, I left Merck and eventually co-founded Entegration, Inc.  For over 10 years I have been the CIO of my client’s medical practices.  I have to admit that it is one of the most rewarding jobs I could have hoped for.

There is a very interesting post over at The Healthcare IT Guy which shows the actual use of EMRs in the United States.  The report shows usage broken down into several catagories including the number of physicians at a site, number of exam rooms, patient volume, hospital/health system ownership, practice speciality, State and a few others.   The report is based on a survey by SK&A of 180,000 medical sites. 

Below is a sample of the full report.  Notice that overall only 36% of those surveyed reported that they have implemented an EMR.  The number of small practices with 1 -2 physicians is higher and the number of midsize practices is lower and decreases as the amount of physicians increase.  The number that is surprising is that in large practices with over 26 physicians, 71% of them have implemented an EMR.  Imagine the amount of paper charts that are generated each year for the 29% of large practices that have not implemented an EMR.

Take a look at the full report and see how your practice compares.

There are literally hundreds of Electronic Medical Records (EMR) systems for sale.  Some have similar feature sets while other differ in their offerings.  There are many articles, blogs, and whitepapers on picking and implementing the best EMR for a practice.  Most of these seem to focus on the software selection, the workflow process, the implementation process and ongoing support of the EMR.  What seems to be missing is the focus on the actual network and computer system that the EMR will be running on.

As a practice goes from paper charts to a full blown EMR implementation, there will be a need to grow the practice’s computer network dramatically.   With the old paper chart model, there may be a couple of computers at the front desk for patient sign in and insurance information collection.  There may also be a few computers for billing and administration.  On the whole, a practice may have a very small or limited computer network. 

On the other hand, once a practice moves toward an EMR implementation the amount of technology required increases dramatically.  The front desk will may need scanners to scan insurance cards, driver’s licenses, etc.    Additionally the front desk may check on insurance coverage which may require Internet connectivity.    Physicians will need tablet computers to enter patient information during a visit.  If a practice decides not to purchase tablet computers then perhaps each exam room will need a computer, laptop or terminal to access the EMR system.  The billing department will need access to the EMR system as well as Internet connectivity to submit insurance claims.  Workgroup or network scanners may be needed to scan old patient records into the EMR or to scan patient’s new paper information i.e. letters, referrals, etc.  Electronic fax servers may be required to send information out of an EMR to another physician’s office or the fax server may be used to receive electronic faxes and attach them to patient records within the EMR. 

In addition to the equipment mentioned above, there is the EMR itself.  The EMR may require a database server and database software such as Microsoft SQL Server.  There may be a need for a network domain controller which stores the user names and network credentials for a practice’s employees.  The EMR database may be backed up to a tape backup unit or by a remote backup service that backs up the data securely over the Internet.  The reliance on the Internet become essential and requires a dependable and fast Internet connection.  These connections can be a T1 from a phone carrier (i.e. Verizon, AT&T, Qwest, etc.), DSL or a Cable Modem.  The Internet connection should be secured via a Firewall which protects a practice’s network.

Once all of the above technology is purchased and deployed a practice may want to roll out Email for both internal and external communication.  Email with patients may require additional email encryption technology.  With all the new computers and employees that now have access to the Internet, the potential for abuse may arise.  Technology to limit employee’s access to the Internet may need to be implemented.  Additional technology to provide Disaster Recovery of the EMR or network may also need to be purchased and implemented.  Remote Access to the EMR may be required which may require additional network technology.

As you can see, a practice may go from a handful of computers to a full blow computer network with a lot of advanced technology.  The network will need to be maintained which may include verifying data backups, security patch deployment, software upgrades, preventative maintenance, etc.  In addition, the HIPAA Security Rule and HITECH Act requires that a network be secure, audited and access to patient information must be available.  These requirements bring along the need for additional technology and network maintenance processes.

We will go into detail about a lot of these technologies in future updates.  A final thought to think about when a practice is evaluating EMRs – Don’t forget about the computer network!