New Texas Privacy Law Increases Employee Training Requirements in Physician Practices

As discussed in my post "New Texas Privacy Law Increases Privacy Protections and Physician Cyber Liability Risks", House Bill 300 (HB 300) strengthens protection of patients' electronic health information in Texas beyond HIPAA and becomes effective on September 1, 2012.   I am concerned that their may be low levels of awareness at this time among Texas physicians regarding the new privacy provisions.  For example, one of the new requirements impacts employee privacy training policies for the physician practice.   As an illustration, consider this case history:

A laptop computer was stolen or lost from the reception desk area possibly after a cleaning crew had left the main door to the building open.   An employee had previously used the laptop to download information that included protected health information (PHI) on 67 patients seen that week.   Following the breach the practice notified all affected individuals, added technical safeguards of encryption for PHI stored on mobile computers, added physical safeguards by keeping all portable devices locked in a cabinet of a locked storage room when not in use and required re-training of all employees on privacy and security policies including immediate training for the cleaning staff.

Many breaches of PHI are avoidable if employees are trained on privacy/security  and remain vigilant when managing PHI.    In Texas HB 300 protects not only PHI as defined by HIPAA, but also “sensitive personal information (SPI)” as defined by the Texas Identity Theft Protection Act.   HB 300 requires all employees who will encounter PHI or SPI to undergo privacy training that is tailored to the employee’s specific responsibilities and types of contact with PHI.    New employees must be trained within 60 days of hiring, and training must be repeated at least once every two years.    A log must be maintained with employee signatures verifying their attendance.    Physicians can prepare by updating employee training policies and materials.

Physicians should also consider purchasing cyber liability insurance (or increasing current liability limits) and consulting with their Regional Extension Center, such as the North Texas Regional Extension Center (NTREC), about assistance with security risk analysis and management.

More on other HB 300 provisions next week...

cook children's

New Texas Privacy Law Places More Accountability on Business Associates of Physician Practices

As discussed in my post "New Texas Privacy Law Increases Privacy Protections and Physician Cyber Liability Risks", House Bill 300 (HB 300) strengthens protection of patients' electronic health information in Texas beyond HIPAA and becomes effective on September 1, 2012.   In a series of weekly blogs I am writing to illustrate some of the new protections.   I think that the most important change imposed by HB 300 is the increased accountability placed on business associates of a physician practice to adhere to the state privacy laws.  Consider this case history:

A physician practice was notified by one of their business associates (BA), a medical transcription service, that dictated patient reports were viewable on the Internet by anyone after the BA’s server was compromised.  The breach involved PHI of 1.085 individuals.  In response, the practice immediately terminated the business associate agreement (BAA) with this company and engaged another medical transcription service.  The practice contracted with forensic consultants to ensure that the cause of the compromise was found and all online traces of breached reports were removed.

HB 300 holds accountable any business in Texas that comes into contact with PHI.   This means that BAs of physician practices are accountable to HB 300 protections and HIPAA unless they have no contact with PHI.   Physicians should revise their BAAs to include language compelling BAs to comply with state and federal privacy laws.  Matters to address in a BAA include:   

• Immediate notification to practice when BA discovers breach
• Who notifies affected individuals?  Who bears the cost?
• Contract termination for failure to comply with law or take "reasonable" steps to fix breach
• BA ‘s compliance with performing security risk analysis at least annually
• BA’s compliance with employee privacy training
• Encryption of PHI on BA’s mobile devices or exchanged online; and other circumstances where PHI is at high risk

Physicians should also consider purchasing cyber liability insurance (or increasing current liability limits) and consulting with their Regional Extension Center, such as the North Texas Regional Extension Center (NTREC), about assistance with security risk analysis and management.

More on other HB 300 provisions next week...

cook children's

New Texas Privacy Law Increases Privacy Protections and Physician Cyber Liability Risks

Privacy protection is getting bigger in Texas.   Last year the Texas Legislature passed House Bill 300 (HB 300) heavily amending the state's Texas Medical Records Privacy Act.   These amendments increase protection of electronic personal health information (PHI) and become effective on September 1, 2012.    HB 300, along with other state privacy laws such as the Texas Identity Theft Protection Act, are more protective of patients' privacy than HIPAA.  Stronger protections translate to increased physician cyber liability risks.

I support strong protection of patients' electronic PHI through state and federal privacy laws including the imposition of fair penalties, disciplinary actions and audits that are strong enough to deter breaches of PHI.   But I am concerned that there may be low levels of awareness among physicians regarding the new state privacy requirements which increase the physician's cyber liability risks.   In the next month I know of  two physician-oriented publications that will discuss the issue, and I will present on the topic at the Texas Medical Association's TexMed 2012 Conference in Dallas, Texas, on May 18th.    Hopefully we can stimulate more conversations and actions across the state.

I suggest that physicians at least consult with their lawyer to ensure their practice is aligned with HB 300.   Specific actions a physician practice may need to take to be compliant with HB 300 include revising employee privacy training policies and materials; revising policies on patient access to their EHR; updating the Privacy Notice; revising business associate agreements; encrypting protected health information (PHI) stored on mobile devices; and encrypting PHI transported online.    Physicians should also consider purchasing cyber liability insurance (or increasing current liability limits) and consulting with their Regional Extension Center, such as the North Texas Regional Extension Center (NTREC), about assistance with security risk analysis and management.

Stay tuned for more blogs on HB 300...   

cook childrens

Keep the data collection cart behind the trailblazing horse

In today's Health IT News there is an article expressing dissappointment with the recently released proposed rules for Stage 2 of the Electronic Health Record (EHR) Incentive Program.   Some alarming viewpoints are evident in this article regarding the collection of data for use by the federal government to improve public health .

The proposed rule for Meaningful Use Stage 2 on page 13702-13703 specifically states that the purpose of Stage 2 Meaningful use is to "“encourage the use of health IT for continuous quality improvement at the point of care and the exchange of information in the most structured format possible”.    No where in the rule does it state that the primary purpose of Stage 2 Meaningful Use is to collect data for use by the federal government as is suggested by concerns expressed in this article.   Let's keep the data collection cart behind the trailblazing horse so that it does not aimlessly roll down the steepest part of the hill instead of steering toward most beneficial path.   Stage 2 objectives draw a sensible roadmap to the next planned destination where we can finally begin realizing the maximum potential value of health IT and EHRs.   We currently have the horse trotting around potholes toward the widespread adoption and successful use of EHRs, the development of robust HIE networks, the maturation of EHR product functionalities and an improved understanding of safe EHR usage.   If we fail to align Stage 2 activities with Stage 2 goals by taking unplanned shortcuts to collect and use data in hopes of improving care now, I fear the cart will crash and cripple the momentum that Stage 1 has initiated.

Healthcare Industry's Triple Strand of DNA: health IT, payment reform and patient empowerment

Earlier this month I used a genetics anology to describe the amazing progress with electronic health record (EHR) usage by physicians over the past two years (see Progress being made to splice information technology into the healthcare industry's genome in Texas).   Facilitating this progress are the EHR Incentive Program and other federal health IT initiatives that the Office of the National Coordinator for Health IT (ONC) oversees. 

Last Thursday the National Coordinator of ONC, Dr. Farzad Mostashari, took my genetics analogy one step further in his keynote speech at the HIMSS12 Annual  Conference for health IT in Las Vegas.   And I have to admit that he improved upon it.  I guess that's why he's in Washington D.C. and I'm not. 

Dr. Mostashari warned the 36,000  conference attendees that along with this continued progress there are two other societal trends to align health IT with.   He advocated for "twisting health IT to create a triple strand of DNA" with payment reform and patient empowerment. 

Health IT, payment reform and patient empowerment.  The triple strand of DNA to splice into the healthcare industry.  I like that. 

Payment reform is seriously needed to align incentives with the provision of quality care in an efficient manner.   Right now I am basically paid to "encounter" patients and to do procedures.       Although I am personally motivated to provide high quality care, the incentives are oddly there for physicians to "see more" and "do more" rather than to "see it done best".     In addition, my documentation is based on meeting reimbursement rules to make sure I get paid rather than being based on communicating a clear picture of my findings and care plan.   I absorb the extra time it takes to do both.

Consequently it is no surprise that for decades EHR vendors developed products based on episodic care.    Physician's sought out products that would help them document and get paid for patient encounters.  Documentation templates and charge capture functionalities were developed to maximize chances for reimbursement.    

The potential for EHRs to improve quality and chronic disease management is just now starting to be realized.    The ONC's health IT initiatives enacted by CMS under the HITECH portion of the 2009 Recovery Act are providing the push.   But as payment reform proceeds, whether it be value-based purchasing, accountable care or some other program, EHR vendors will be incentivized even more to shift development efforts into chronic disease management and clinical decision support that are a basis for improving patient care. 

And the third strand of DNA to splice into the healthcare industry, patient empowerment, is indeed an active and growing societal influence.  But I will have to blog about that another day...

Progress being made to splice information technology into the healthcare industry's genome in Texas

It's amazing-the progress being made to splice information technology into the health care industry's genome.   When I first dove into health IT a decade ago the use of electronic health records (EHRs) was dismal and healthcare stakeholders rarely sat at the same table with mutually beneficial, collaborative objectives in mind.   Even within the same healthcare organization it was not uncommon for individual department leaders to disrupt an integrated health IT effort in order to protect some of their department's self-interests.   Less than 5% of hospitals had implemented fully functional computerized provider order management (CPOM) systems; less than 1 in 5 physicians were using an ambulatory EHR; and less than 5% of those were fully functional EHRs.    Today the percentage of physicians and hospitals using robust EHRs is rising at a rate that was unthinkable back then.  

This progress parallels the launch of health IT initiatives established through the federal HITECH funds such as the EHR Incentive Program.   In the past two years these funds have been a catalyst here in Texas to engage diverse groups of healthcare stakeholders  to use health IT to improve quality of care.   As a result:  

• Increasing numbers of Texas physicians are using EHRs (approaching 50%)
• More and more hospitals are using CPOM
• Over a dozen of community-wide health information exchanges (HIEs) are up and running
• New health IT workforce training programs are established
• Four regional extension centers were formed covering all geographic areas of the state and are doing a phenomenal job assisting thousands of physicians with EHR selection, implementation and meaningful use
• Texas became the first state to have it’s HIE plan approved by ONC
• Texas was one of the first states to stand up the Medicaid EHR incentive program making our program a model for other states
• Texas was one of four to receive a SHARP grant
• And Texas leads the way with the number of physicians attesting to meaningful use; Texas physicians and hospitals have received over $270 Million in EHR incentives

This rate of progress is only possible when individuals with diverse backgrounds and from different healthcare stakeholder groups are able to collaborate.  In Texas these stakeholders have demonstrated an ability to park their self-interests in order to drive forward with a common vision to improve the quality and delivery of patient care in our communities.

Snapshot of EHRs Used in Texas to Achieve Meaningful Use Gives Glimpse of Regional EHR Market Consolidation

Over 400 electronic health record (EHR) vendor products are certified by the Office of the National Coordinator of Health IT (ONC), but only a handful of them are used by a majority of the physicians in Texas who have been awarded EHR incentive payments by the Centers for Medicare and Medicaid Services (CMS) according to an ONC database released last week.

Physicians who successfully meet CMS criteria that demonstrate their “meaningful use” of an ONC-certified EHR become eligible for incentive payments up to $44,000 over 5 years under the Medicare program or $21,500 over 6 years under the Medicaid program. The ONC database includes the records of 21,697 physicians who have received EHR incentive payments so far, de-identified by physician but including the physician’s EHR product name, the physician’s state and whether payment was received through the Medicare or Medicaid programs. There are 217 EHR vendors listed as having products that had been used successfully by at least one eligible physician.

In Texas 1,585 physicians have received EHR incentive payments according to the database. Although 75 different ambulatory EHRs were used by at least one physician, only six of them were used by more than 100 physicians. These six EHRs account for 69% of the EHRs used in Texas to achieve meaningful use.    They are listed here with the number and percent of physicians using each to achieve meaningful use:

• Epic 277 (17%)
• eClinicalWorks 249 (15%)
• e-MDs 177 (11%)
• Allscripts 170 (11%)
• Athenahealth 128 (8%)
• NextGen 114 (7%)

The following graph displays the 25 EHRs that at least 10 Texas physicians have used to achieve meaningful use payments (click to enlarge):

There are 50 other EHRs used by less than 10 physicians in Texas who have successfully attested for meaningful use incentive payments.   These are listed at the end of this blog.

Across the nation Epic is the early leader with over 25% of physicians using it to achieve meaningful use. The top five EHRs nationally–Epic, eClinicalWorks, Allscripts, athenahealth and Community Computer Services–are used by nearly 49% of the physicians.    The top 13 EHR vendors nationally are used by more than 75% (see list below).   There are variations in regions across the nation, though, as seen with the Texas data.

It is interesting to note in Texas that the first three of the top six EHRs used to achieve meaningful use–Epic, eClinicalWorks and e-MDs–are all private companies.   The other three are public companies–Allscripts, NextGen and athenahealth.  They all all generally have positive reputations and perennially receive a variety of “Best in KLAS” rankings.    Epic’s ambulatory EHR is used primarily by physicians affiliated with large health centers and is not currently a feasible option for many small practices in rural Texas.    Athenahealth is marketed as a web-based EHR, but the others can be web-based as well.   Although e-MDs is popular nationally, their market share in Texas benefits from their headquarters being located locally in Austin.    

In the past decade many speculated that CCHIT certification of EHRs, which is more comprehensive than the ONC-certification for meaningful use, would spur a consolidation of what is currently a disperse EHR market with hundreds of vendors supplying products.  Others felt that free market forces, with physicians in the center creating demand for EHRs that worked well, would eventually swing the pendulum toward consolidation.   It is still early, but the data set in the ONC database gives a provocative glimpse at the EHR market forces in play today.  There is clearly some consolidation around a small number of EHR products after the first year of the CMS EHR Incentive Program.    I suspect physician demand for EHRs that simplify their ability to receive incentive payments will continue to play a significant role in swinging the EHR market pendulum towards consolidation over the next decade. 

 

Additional data:

The top 13 EHRs used by physicians nationally for EHR incentive payments were:

#Providers         Vendor Name

6330                     Epic Systems Corporation

1847                    eClinicalWorks LLC

1502                    Allscripts

1158                    athenahealth, Inc

999                      Community Computer Service, Inc.

921                       GE Healthcare

899                      NextGen Healthcare

770                      e-MDs, Inc.

712                     Greenway Medical Technologies, Inc.

567                     Cerner Corporation

565                     Sage

397                     BioMedix Vascular Solutions

252                     AmazingCharts.com, Inc.

 

The following 50 vendors had less than ten physicians in Texas using them to achieve meaningful use incentive payments:

Meditab Software, Inc.

HealthFusion

Pulse Systems

Altos Solutions, Inc.

Integrated Health Care Solutions

MED3000, Inc

Waiting Room Solutions

BizMatics Inc

Compulink

Crystal Practice Management

digiChart, Inc.

NexTech Systems Inc.

American Medical Software

ICANotes, LLC

MicroFour, Inc.

Prime Clinical Systems, Inc.

ADP AdvancedMD

Altapoint Data Systems, LLC

Ingenix

Intivia, Inc.

MedPlus, A Quest Diagnostics Company

MTBC (Medical Transcription Billing Corporation)

Nuesoft Technologies, Inc.

Spring Medical Systems, Inc.

SuiteMed

UnisonCare Corporation

AllegianceMD Software, Inc.

Cerner Corporation

CodoniX

CureMD Corporation

Data Strategies, Inc.

DoctorsPartner, LLC.

DrChrono.com Inc.

DrFirst

EMRlogic Systems

Encite, Inc.

Exemplo Medical LLC

E-Z BIS, Inc.

gMed, Inc.

Health IT Services Group

Insight Software, LLC

Medical Office Online, Inc.

MedInformatix, Inc

MedLink International, Inc

Medrium Inc.

Midwest Software, LLC

MPN Software Systems, Inc.

Net Health Systems, Inc.

Sammy Systems

WellCentive

Health Information Exchanges and Physicians Share Accountability for Safe Patient Care

The $800 billion 2009 American Recovery and Reinvestment Act (ARRA) set aside $36 billion toward health information technology (health IT) initiatives, including over $500 million for the State HIE Cooperative Program.  This federal program provides funds to each state for the successful planning and development of infrastructure that supports the exchange of electronic health data between physician electronic health records (EHRs), hospital EHRs, lab systems, radiology centers and other clinical IT systems.    For example, in Texas we are using these funds to support the development of local health information exchange entities, called HIEs, across the state and to concurrently develop the policies, standards and infrastructure needed to safely/securely connect these HIEs to each other.     The statewide HIE network will also be built to be compatible with national standards and efforts.      

Each state's effort to develop a network of community HIEs and/or a statewide HIE will be more successful with physicians involved upfront with governance and policy development.   When working with local HIEs most physicians will generally understand and appreciate the importance of protecting the privacy and security of electronic patient health information.  Their inherent knowledge on this issue will help guide policies in the right direction.   A more complex issue for physicians to understand is the relationship between HIEs and patient care.   A heightened awareness of this issue will allow physicians to properly inform HIE policymakers about the need to establish an environment where local HIEs, HIE networks and physicians share accountability for safe patient care.   

To deepen physician's understanding of this issue I encourage them and others to think about an HIE as a tool physicians use as a part of patient care, similar to a surgical tool.   If a patient is harmed by a surgical tool that broke because the physician used it incorrectly, the physician is negligent.  If the physician used the tool correctly but it still broke, but it has only broken 8 times in over 10,000 surgeries and the patient consent explains this remote risk of breakage, then no one is negligent.  However, if it broke and the issue had been reported to the vendor by many physicians on a repetitive basis, but the vendor failed to investigate the issue and fix the problem, or failed to inform physicians and patients of the increased risk in the meantime, then the vendor is negligent. 

This perpsective will help physicians advocate for policies that lead to an environment where HIEs and physicians share accountability for safe patient care.   Effective policies will lead to contracts and agreements which acknowledge that:

1. HIEs and HIE infrastructure are tools used by physicians during the course of patient care
2. HIEs are responsible for informing patients and doctors about the inherent risks of  the electronic health information exchange including changes in risks when issues are identified
3. HIEs have a responsibility to continually monitor for and mitigate risks associated with their services that may impact quality of care provided by physicians

 

Bipartisan Health IT Support and ARRA Insulate EHR Incentive Funds From Budget Cuts

A physician colleague recently asked me why I am confident that CMS will not cut off EHR incentive funding in the future.   This question is important to him and other physicians who plan to qualify for up to $44,000 in CMS incentive payments by achieving the meaningful use of EHRs.   They fear that the dragging economy and political discord will result in budget reductions that will cut this and other important health IT funding programs.    What I see, though, is a decade-long track record of bipartisan support for health IT initiatives and a 2009 federal law that requires CMS to provide funding for the EHR incentives and other health IT programs.

In his 2004 State of the Union speech President Bush envisioned the adoption of EHRs for all Americans by 2014.   Since then bipartisan support at both the state and federal levels for health IT initiatives toward the achievement of that vision has held strong.   At the federal level CMS  not only established a new office in 2004 to support health IT, the Office of the National Coordinator of Health IT (ONC) but has also increased funds to support ONC initiatives which promote the adoption and use of EHRs.  CMS works collaboratively with ONC and has consistently shown an understanding that the broad adoption and effective use of EHRs are necessary to better manage spiraling healthcare costs.   CMS understands that the data captured by EHRs is superior to claims-based data when attempting to analyze quality and establish benchmarks.    Physicians have long complained that claims-based data is incomplete and does not fairly demonstrate the quality of care they provide.     EHRs must be broadly adopted in order to capture accurate and meaningful data that can then be used to improve quality or save costs.  

It is important to recognize that CMS is required to provide EHR incentives to physicians by law.   Specifically, the $800 billion American Recovery and Reinvestment Act (ARRA) of 2009, commonly refered to as the Stimulus Bill, allocates over $36 billion to health IT programs through the Health Information Technology for Economic and Clinical Health (HITECH) Act.   This funding includes an estimated $34 billion for the Medicare and Medicaid EHR Incentive Program and over $300 million to support state-wide health information exchange efforts.

In order to cut funding for EHR incentives, this means that bipartisan support would have to be garnered in the House and Senate to rescind ARRA or part of ARRA.   The intent of ARRA  initiatives is to stimulate economic activity and produce jobs.   In the current economic environment it would seem very risky, perhaps even foolish, for a politician to drum up support for new legislation that eliminates economic stimulus activity, especially if that activity is already producing jobs.

So, is the EHR Incentive Program stimulating the economy and producing good jobs?   I am not an economic expert, but from what I see around me the answer is clearly, "yes".    I see job openings in the local paper for healthcare system IT analysts and other staff, I speak with IT consultants most of whom are actively seeking personnel, I hear about physician offices investing into the economy $10,000-$70,000/doctor to implement EHRs or upgrade other office technologies, I read about physicians receiving $44,000 federal incentive payments and about hospitals receiving larger amounts, some of which is surely returned into local economies.  The graph below is a composite view of the 3-year stock performance of the health IT sector since 2009.   EHR vendors and other health IT companies appear to be thriving well since ARRA was passed despite the depressed economy.

I suspect that several years from now when experts analyze the impact of the $800 billion stimulus package, the puny $36 billion provided to health IT initiatives through the HITECH portion of ARRA will go down as perhaps the most bang for the buck in terms of stimulating the economy.  

The EHR incentive funds appeared to be well insultated from budget cuts for these same reasons. 

Texas Medical Association video provides in-depth look at meaningful use, how RECs can help physicians

This video does a good job of describing Meaningful Use, the electronic health record (EHR) incentive program and how the four regional extension centers (RECs) in Texas leverage federal grants to subsidize services for physicians that help them select/implement or upgrade an EHR, and then use their EHR to improve quality of care and meet the Meaningful Use requirements.  

The four RECs in Texas currently charge primary care physicians only $300 for consulting services valued at $5,000.  These services include:

o    Select and implement a certified EHR (or upgrade your current EHR to a certified version)

o    Optimize your practice workflow,

o    Achieve meaningful use,

o    Qualify for EHR incentives, and

o    Obtain CME credit hours      

 cook children's