Life Science Compliance Update

January 29, 2016

Another Transparency Threat – Health Education Exchanges and Medical Identity Theft

We have previously drawn attention to some of the downsides of transparency as it relates to medical information. Those downsides typically revolve around the Sunshine Act and Open Payments data. However, there is another major concern about a yet another aspect of medical information transparency. Electronic health records, which allow a primary care physician to quickly send information to other physicians, are starting to become more prominent, easily accessible, and dangerous.

Health information exchanges (HIEs) allow doctors to share information amongst each other and help healthcare agencies to track and respond to emerging health threats. Storing patient medical records in the cloud instead of on-site helps cut down on IT costs and storage costs, and allows medical providers to focus on their primary mission of providing healthcare to patients.

While there are some positives to health records being easily accessible by medical professionals, medical data being so easily accessible also presents a huge attack surface for cyber thieves. A recent Ponemon Institute survey reported that 2.3 million adult patients were victims of medical identity theft in 2014 and those victims spent an average of $13,500 trying to restore their credit, pay off fraudulent medical claims, and clean up their health records.

While the 2014 figures may astound you, The Washington Post reports that the Department of Health and Human Services (HHS) estimates over 120 million Americans have had some of their protected health information (PHI) compromised in data breaches since 2009.

Individual companies and agencies have reported their own data breaches of PHI as well. Excellus BlueCross BlueShield suffered a data breach that affected 10.5 million people; Premera had a breach that affected up to 11 million people; and the Office of Program Management breach affected up to 21.5 million. It is estimated that in total, as much as half of the United States population has had PHI compromised.

These data breaches are the results of a new form of cyber attack. While there isn't just one purpose or motivation behind cyber attacks, there are several plausible ones. One reason may be because when the cyber attackers steal medical identities, they are able to monetize the financial information included within them. Dwayne Melancon, chief technology officer with Tripwire, says that the healthcare industry is ahead of the retail industry, but behind the financial industry, when it comes to protecting consumer data. The growth of the Dark Web has provided a ready and simple market for thieves who sell financial and other personal information, such as medical records. As such, it is possible that cyber attackers are turning to an easier approach when it comes to taking your financial information.

Further, while financial information can be monetized almost immediately, medical records can take a bit longer to exploit. If someone seeking medical treatment is using health information of another patient to receive free medical care, they need to be sure their provider doesn't already know who the real patient is and that the identity they stole matches them and their health issues close enough so that the fraud will not be immediately detected.

It isn't just the possibility of free medical care that could be motivating healthcare cyber attackers. Personal medical information can also be useful to those perpetrating phishing attacks. Parents of children who are terminally ill who receive calls from their doctors, or others purporting to be linked to the doctor, are not likely to be as cautious when told their child has been recommended for a promising clinical trial, and may give financial information over the phone.

Another use for stolen health data is extortion. UCLA Health dealt with a data breach in July 2014, after which Jeff Hill, channel manager at STEALTHbits Technologies, speculated that part of the motivation for attacking an LA-based health system is to find personal health information on celebrities and hold that information for ransom or sell it to news organizations. He states that, "[t]he most private and potentially embarrassing information about all of us can be found in our medical records, and they often sit exposed on the vulnerable networks of myriad hospitals, clinics, insurance companies, etc."

Unfortunately, these data breaches are not always avoidable. Dwayne Melancon stated, "There is a tendency to say a company didn't know what they were doing. That is not always the case...In a lot of those cases it isn't negligence, its just something people could not foresee. If they were taking reasonable measures and still got compromised, it may be that they had well-resourced, determined attackers, and any organization could be vulnerable to that."

When personal health information is exposed through breaches, patient lives can hang in the balance. It is important for all decision makers in healthcare organizations to understand these threats and work to combat them daily, from IT staff to privacy and compliance staff.

November 24, 2015

Stage III Meaningful Use CMS Doubles Down as Opposition Mounts

Despite Congressional interest in delaying Stage 3 of the electronic health record Meaningful Use program and the AMA coming out strongly against the roll out, HHS recently went forward and published its 752-page Final Rule for Stage 3 and Stage 2 modifications. One of the central pieces to the Affordable Care Act, along with the American Reinvestment and Recovery Act (ARRA) was the implementation and "meaningful use" of electronic health records (EHRs)—through the HITECH provision. Implemented in stages, Stage 3 is the final step of the program.

Final Rule

The 2015-2017 Meaningful Use (MU) Final Rule establishes MU program requirements for 2015 - 2017, creating a new "Modified Stage 2." All providers, including those in the Medicaid program, would attest to a single set of objectives and measures beginning in 2015. The Modified Stage 2 program reduces the number of requirements and lowers certain measure thresholds compared to Stage 2. All providers are required to move to Stage 3 beginning in 2018 regardless of their prior participation or Stage of MU.

The final rule establishes a modified version of Stage 2 for 2015 - 2017 for all participants. In 2015, all participants must follow Modified Stage 2 with accommodations for providers who were schedule to demonstrate Stage 1 in 2015. Next year, in 2016, all participants would follow the Modified Stage 2 with a smaller set of accommodations for providers who were scheduled to demonstrate Stage 1 in 2016. The following year, in 2017, participants may select to report on Modified Stage 2 or the full version of Stage 3 outlined in the Stage 3 rule. By 2018 all participants would follow the full version of Stage 3.

CMS recently announced a new FAQ that allows any provider to apply for a hardship exception for 2015 under the "extreme and uncontrollable" circumstances category due to the lateness of the modifications rule. The agency has also clarified that physicians switching EHRs or experiencing issues with a vendor product may apply for a hardship exemption under the existing "extreme and uncontrollable circumstances" category.

The MU Stage 3 Final Rule allows for a 60-day public comment period to continue to consider program changes and align requirements with the Medicare Access and CHIP Reauthorization Act (MACRA). This is the last stage of MU and Stage 3 requirements are optional in 2017 and mandatory for all participants in 2018, no matter when they started the MU program.

All Stage 3 MU participants (both physicians and hospitals) must meet 8 objectives. Each objective may include multiple measures. Objections include: (1) Protect Electronic Health Information; (2) Electronic Prescribing (eRx); (3) Clinical Decision Support (CDS); (4) Computerized Provider Order Entry (CPOE); (5) Patient Electronic Access; (6) Coordination of Care through Patient Engagement; (7) Health Information Exchange (HIE); and (8) Public Health and Clinical Data Registry Reporting.

Physicians in opposition, economics of practice changing in part due to Health IT

As reported by Politico, the American Medical Association helped lead the charge to pause finalization of the Stage 3 rules. AMA argued Stage 3 takes a "drastic step backwards" from CMS's proposed changes to Stage 2. The implementation of electronic health records has been especially difficult for independent and smaller physician practices—one of the most consistent arguments against moving forward with the MU program.

As also reported in Modern Healthcare, according to a recent report, independent practices acquired by hospitals are seeing operating costs spike as they try to keep up with the federal electronic health record requirements. Multispecialty physician practices spent an average of $20,693 per full-time-equivalent doctor in 2014, a 12% increase from the year before and a 34% increase from 2010.

More than 3,100 physician groups were surveyed for the report, which includes information on other administrative issues such as staffing ratios. It found that between 2010 and 2014, physician practices increased use of non-physician providers, such as physician assistants and nurse practitioners, to meet demand and compete to hire from a limited supply of doctors. Administrative burdens and costs related to running an independent practice has a growing number of physicians opting to become employees of hospitals. Reports indicate that physicians will continue leaving private practice to work for hospitals and that only a third of physicians would remain independent by the end of 2016.

Along these lines, Politico recently asked if electronic health records are creating a spike in hospital mergers. According to American Hospital Association CEO Rick Pollack in a recent House Judiciary Committee hearing, he estimated hospitals will spend between $20 million and $200 million on EHRs each year depending on their size, and that dollar amount is unmanageable for smaller hospitals. This causes them to merge and results in fewer players in the market. "The fundamental restructuring that CMS anticipates in response to its alternative reimbursement models will undoubtedly come with a high cost that will be particularly difficult to bear for small and stand-alone hospitals," Pollack testified.

GOP Doctors Caucus Resistance

In line with the aforementioned physician resistance, the GOP Doctors Caucus announced plans to ask House of Representatives Speaker Paul Ryan for end-of-year legislation to include a delay in Stage 3 of meaningful use and broad exemptions for the programs penalties. This forthcoming letter is in addition to a letter sent in September to the Obama administration. The September letter asked for a delay in meaningful use Stage 3, and was signed by approximately 25% of House members. 

Tennessee Representative Phil Roe, chairman of the GOP Doctors Caucus, said, "Many of us believe the appropriations process is also an effective way to get this done. The Caucus is open to various vehicles for these requests and looks forward to working with Speaker Ryan and other House leaders on these important initiatives."

Problems with vendors

Over the past year, health IT vendors have come under scrutiny for the practice of intentionally blocking the sharing of patient information, hurting progress toward a national goal of interoperability. New legislation, the Transparent Ratings on Usability and Security to Transform Information Technology Act of 2015, or the "TRUST IT Act" hopes to combat this practice. The legislation aims to ensure that certified health IT systems are performing as promised in the field, and establish a rating system that will enable consumers to compare different products based on that performance.

According to Senator Bill Cassidy's press release—one of the three Senate physiciansthe legislation will also:

  • Authorize the Office of the National Coordinator for Health Information Technology to make publicly available information, such as summaries, screen shots, or video demonstrations, showing how certified health information technology meets certification requirements;
  • Require the certification program to establish that health IT products meet applicable security requirements, incorporate user-centered design, and achieve interoperability, consistent with the reporting criteria developed for the Health IT Rating Program;
  • Require health IT vendors to attest they do not engage in certain information blocking activities, including nondisclosure clauses in their contracts, as a condition of certification and maintenance of certification;
  • Authorize the Inspector General of the Department of Health and Human Services to investigate claims of information blocking and assess civil monetary penalties on any person or entity determined to have committed information blocking.

This comes after CMS also published recommendations earlier this year to address the information blocking problem, including:

  • Assisting federal and state law enforcement agencies in identifying information blocking cases that violate current laws;
  • Bolstering oversight of certified health IT capabilities "in the field" through new requirements;
  • Creating a nationwide health information exchange governance framework;
  • Requiring certified health IT developers to disclose additional costs, limitations and restrictions associated with their products;
  • Working with CMS to create incentive payments that reward interoperability and health data sharing; and
  • Working with HHS' Office for Civil Rights to educate stakeholders on how HIPAA privacy and security standards apply to information sharing.

Now, despite federal rules, many developers of electronic health records are not meeting federal design requirements, according to research published in JAMA. The researchers from the National Center for Human Factors in Healthcare at MedStar Health in Washington, D.C. found that not all vendors filed required reports on usability testing. The report adds to the mounting concern that EHRs are failing to raise the quality and safety of healthcare and lower its costs.

Gag orders, another previously raised issue, are a separate, but related concern. A Politico investigation found that some of the biggest firms marketing electronic record systems inserted "gag clauses" in their taxpayer-subsidized contracts, effectively forbidding health care providers from talking about glitches that slow their work and potentially jeopardize patients. The website obtained 11 contracts through public record requests from hospitals and health systems in New York City, California, and Florida that use six of the biggest vendors of digital record systems. With one exception, each of the contracts contains a clause protecting potentially large swaths of information from public exposure. This is the first time the existence of the gag clauses has been conclusively documented. Politico faults the government's slow response, noting that little has been done to address the problem despite many years of warnings.

 

Conclusion

There is a significant amount of opposition to current health information technology policies both within the government and the larger medical community. Stage 3 of Meaningful Use could ultimately be delayed through Congressional action, and larger legislative fixes may be necessary to combat the litany of problems raised by stakeholders over the past few years. The ultimate goals of electronic health records may be laudable, but the unintended consequences could be far greater than the Administration had originally perceived.

August 31, 2015

EHR: Congress Moves to Delay and Modify Timeline for Meaningful Use

  EHR, MU

There is a growing movement in Congress to push the Department of Health and Human Services (HHS) to postpone Stage 3 of the electronic health record meaningful use program. Recently, Rep. Renee Ellmers (R-N.C.) introduced a bill (HR 3309) that would delay federal rulemaking for Stage 3 of the meaningful use program until 2017 or when certain conditions are met. Under the proposed Stage 3 rule, eligible providers would have the option of applying for the incentives in 2017 and would have to attest to meeting the criteria in 2018. The comment period on the proposed rule ended May 29, and the CMS is expected to finalize it soon.

During a hearing on meaningful use Stage 3, interoperability and patient access to data, Sen. Lamar Alexander (R-Tenn.) stated: "To put it bluntly, physicians and hospitals have said to me that they are literally terrified of the next implementation stage ... because of the complexity and because of the fines that will be levied,” Fierce Health IT writes.

Industry and Medicine’s Response

As reported in Medscape, industry's response to the Stage 3 proposal has been mainly negative. The Medical Group Management Association (MGMA), for example, said that Stage 3 should not be finalized until more providers had participated in Stage 2. As of May 2015, just 50,983 eligible professionals and 1461 eligible hospitals had attested in Stage 2, according to the CMS. The MGMA also wants CMS to eliminate Stage 3 objectives that require patient engagement.

The American Medical Association (AMA) also criticized the proposal, saying more time is needed to evaluate the impact of the first two stages and that the Stage 3 criteria were too ambitious. And both the American Hospital Association and the College of Health Information Management Executives (CHIME) said the CMS should not finalize Stage 3 until it had had more experience with Stage 2.

It comes as no surprise the AMA strongly supports Congressional intervention to delay Stage 3. "The AMA thanks Rep. Ellmers for sharing our deep concern with a Meaningful Use program that continues to move ahead without first fixing barriers faced by physicians, hospitals, vendors and patients," said AMA President Steven J. Stack, M.D. "Under Rep. Ellmers' leadership, federal regulations would be revised to provide greater flexibility for physicians to meet the Meaningful Use requirements and ensure that Stage 3 of the program is developed in step with other efforts to modernize our nation's health care system."

The bill also addresses key interoperability challenges by ensuring EHR systems are capable of sending, receiving, and seamlessly incorporating patient data.

"This important bill addresses many of the fundamental shortcomings in government regulations that have made many EHR systems very difficult to use," said Dr. Stack. "We heard loud and clear from physicians at the AMA's first-ever town hall meeting on EHRs and the Meaningful Use program that the systems they use are cumbersome, poorly designed and unable to 'talk' to each other thereby preventing necessary transmission of patient medical information."

Struggling to Adopt

Physicians are struggling, as noted in a recent AMA report. One physician the article profiled is in his fourth year of meaningful use, and said the program has slowed down productivity in his practice by about 25-30 percent.

“There are so many more things that you have to report on that I don’t think really add to patient care,” the doctor said. “I’m trying to work with it. I think meaningful use is not necessarily a bad thing. But I don’t think [patients] have an idea what we’re going through. To give them a copy of their note, it’s not just printing it … there are four or five steps just to give somebody a copy of their note.”

The government has known about the problems cited by physicians for a long time. Back in May 2014, CMS delayed for a year the compliance date by which certain early participants in the program meet Stage 2 requirements. The relatively high percentage of providers—62%—still stuck on Stage 1 in the fourth full year of the program bears out the wisdom of the CMS' Stage 2 compliance extension.

The latest data tracks with an analysis done earlier this year by the American Academy of Family Physicians, according to Dr. Steven Waldren, director of the AAFP's Alliance for eHealth Innovation. Waldren said the number of family physicians who attested to meaningful use in 2014 fell nearly 40% to about 23,500 practitioners compared with 2013. Physicians specializing in internal medicine experienced a similar drop-off, he said.

Additionally, a new study from Weill Cornell Medical College describes the emergence of "systematic differences" between physicians who participated in the Medicare and Medicaid EHR Incentive Programs and those who did not. That "could lead to disparities in patient care," according to Weill Cornell researchers, who examined 26,368 physicians across New York State, using payment data from 2011 to 2012, the first two years of meaningful use.

Conclusion

This issue raises serious questions for broader federal health care goals. As we previously wrote, HHS aims to tie 30 percent of payments to quality, including the use of electronic records, by the end of 2016, and 50 percent by the end of 2018. The new MACRA legislation and recent CMS Medicare proposed rules operate as if meaningful use is moving forward as scheduled. Should Congress delay implementation of the next stage of meaningful use, it could have a ripple effect across HHS goals, possibly causing added confusion for physicians and hospitals. It will be important to monitor this as it develops; legislation may need to be passed soon, as CMS wishes to finalize its Stage 3 meaningful use regulations.

 

Newsletter


Preview | Powered by FeedBlitz

Search


 
Sponsors
February 2016
Sun Mon Tue Wed Thu Fri Sat
1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29