New Texas Privacy Law Increases Physician Liability Including Heftier Enforcement Penalties

As discussed in my post "New Texas Privacy Law Increases Privacy Protections and Physician Cyber Liability Risks", House Bill 300 (HB 300) strengthens protection of patients' electronic health information in Texas beyond HIPAA and becomes effective on September 1, 2012.   In a series of weekly blogs I am writing to illustrate how these stronger patient protections increase physicians' cyber liability.  Consider this case history:

An unencrypted USB drive used to store PHI could not be found in the office.   It contained data on 1,105 patients including names, diagnosis codes and Social Security numbers.   The physician subsequently notified all affected individuals and local media, added technical safeguards of encryption for all PHI stored on mobile devices, added physical safeguards by keeping new portable devices locked in a secure combination safe in doctor’s private office when not in use and added administrative safeguards including annual privacy training of staff. 

For breaches affecting >500 individuals HIPAA requires physicians to notify not only the affected individuals, but also local media outlets and the Department of Health and Human Services (HHS) who then posts breach information on their website.    However, if the PHI was encrypted, then it is not considered to be a violation and no notification is required.    The privacy violation in this case would have been avoided by either encrypting the thumb drive (a technology-based prevention strategy) or by not downloading PHI to a mobile device (an employee training-based prevention strategy).   

HB 300 privacy protections are enforced through penalties, disciplinary actions and audits that are intended to deter breaches.   Several factors are considered when determining the consequences of a breach including the seriousness of violation, compliance history, harm done to individuals and efforts made to correct violations.  Civil penalties may be assessed for each violation up to:

  • $5,000 if committed negligently
  • $25,000 if committed knowingly or intentionally
  • $250,000 if committed intentionally and PHI is used for financial gain
  • $1.5 million if a “pattern of practice” found

Physicians should also consider purchasing cyber liability insurance (or increasing current liability limits) and consulting with their Regional Extension Center, such as the North Texas Regional Extension Center (NTREC), about assistance with security risk analysis and management.

cook children


Texas Privacy Laws Provide Patients Stronger Rights to Access Electronic Health Record Than HIPAA

As discussed in my post "New Texas Privacy Law Increases Privacy Protections and Physician Cyber Liability Risks", Texas House Bill 300 (HB 300) strengthens protection of patients' electronic health information in Texas beyond HIPAA and becomes effective on September 1, 2012.  Through a series of blogs I am illustrating a variety of these new protections. Today we contrast a patient's right to access their electronic health record (EHR) under HIPAA against HB 300 requirements in Texas. Case history:

A patient alleged that a physician failed to provide him access to his electronic medical record within 30 days of a written request as required by HIPAA. After the Office of Civil Rights (OCR) notified the physician of this allegation, he provided the records but charged the patient a $100.00 “administrative fee” because the patient was delinquent on bills. HIPAA permits only a reasonable cost-based fee (copying and postage) with an explanation or summary if agreed to by the individual. To resolve this matter, the physician refunded the $100.

When state and federal privacy laws diverge, the more protective law prevails.  In Texas HB 300 combined with other state laws are more protective than HIPAA such as with a patient’s right to access their electronic health records (EHRs). HB 300 mandates physicians who use EHRs to provide patients the requested record in electronic form not later than 15 business days after receiving a written request unless there is an allowable exception.   The EHR may be provided in another format if the physician’s EHR is incapable of producing an electronic copy or if agreed upon by the patient in advance.  Physicians in Texas should align with HB 300 by revising policies on patient access to their EHR and updating their Privacy Notice as needed.

Physicians should also consider purchasing cyber liability insurance (or increasing current liability limits) and consulting with their Regional Extension Center, such as the North Texas Regional Extension Center (NTREC), about assistance with security risk analysis and management.

More on other HB 300 provisions next week...

cook children's


CMS prematurely dismisses the alternative option to forgo ICD-10 and implement ICD-11

In their proposed rule to delay ICD-10, CMS prematurely dismisses (in three short sentences) the alternative option to forgo ICD-10 completely and implement ICD-11 instead.    I am very concerned that this  dismissal is published  without a comparative analysis of the total costs of each option.   And there is good reason to seriously consider implementing ICD-11. 

In a recent Health Affairs report  the authors express concerns that adopting ICD-10 for reimbursement will be disruptive and costly with little material improvement over the current system.  These informatics experts fall short of suggesting we forgo ICD-10 for ICD-11, but they do recommend that policymakers begin planning now to facilitate a tolerable transition to ICD-11.   We should recognize that this article was not an appropriate platform for the authors to make a political statement to forgo ICD-10.   In addition, more information is needed before making such a recommendation:

  1. What is the earliest date by which the U.S. could implement ICD-11?  CMS suggests that it could be as early as 2020-2022.  What could be done to possibly accelerate that date?
  2. What is the earliest date we could implement ICD-11 if we implement ICD-10 first?  Historical data suggests 2028 is the earliest, but some informatics experts suggest it will be after 2030.
  3. What is the estimated total cost to complete the ICD-10 implementation, then convert to ICD-11?
  4. What is the total cost of stopping the ICD-10 implementation today and proceeding with ICD-11, including the sunken costs of work already done on ICD-10?
  5. What value will ICD-11 provide over ICD-10?
  6. How does the total cost to the industry for using ICD-9 codes another 5-7 years (while ICD-11 is implemented) compare to the total cost to the industry for using ICD-10 codes instead of ICD-11 for 13 or more years after ICD-10 is implemented?
  7. What additional burden will be imposed on physicians and small hospitals by requiring two code system conversions over the next 15 years?  What are the capital costs physicians and small hospitals will incur under both pathways? 
  8. What other potential impacts could there be on physicians and small hospitals?   Will it drive an increasing number of physicians into early retirement?   Will some small hospitals be forced to close?   Will it drive a decision by increasing number of physicians to convert to a concierge or cash-only practices?  

These and other potential impacts have not been fully assessed by CMS.   Implementing ICD-10 has been compared to buying a Betamax instead of a VHS recorder in terms of pending obsolescence.   Informatics experts are in agreement that ICD-11 is superior to ICD-10 and that we need to get to it as soon as is tolerable.   Perhaps the optimal pathway to ICD-11 really is through the ICD-10, but we need a more comprehensive analysis to make a better-informed decision.   Let’s put on the table the total costs and impact of both pathways and then decide.

You may read here my entire public comment as submitted to CMS on the proposed rule to delay ICD-10 for one year.


New Texas Privacy Law Increases Employee Training Requirements in Physician Practices

As discussed in my post "New Texas Privacy Law Increases Privacy Protections and Physician Cyber Liability Risks", House Bill 300 (HB 300) strengthens protection of patients' electronic health information in Texas beyond HIPAA and becomes effective on September 1, 2012.   I am concerned that their may be low levels of awareness at this time among Texas physicians regarding the new privacy provisions.  For example, one of the new requirements impacts employee privacy training policies for the physician practice.   As an illustration, consider this case history:

A laptop computer was stolen or lost from the reception desk area possibly after a cleaning crew had left the main door to the building open.   An employee had previously used the laptop to download information that included protected health information (PHI) on 67 patients seen that week.   Following the breach the practice notified all affected individuals, added technical safeguards of encryption for PHI stored on mobile computers, added physical safeguards by keeping all portable devices locked in a cabinet of a locked storage room when not in use and required re-training of all employees on privacy and security policies including immediate training for the cleaning staff.

Many breaches of PHI are avoidable if employees are trained on privacy/security  and remain vigilant when managing PHI.    In Texas HB 300 protects not only PHI as defined by HIPAA, but also “sensitive personal information (SPI)” as defined by the Texas Identity Theft Protection Act.   HB 300 requires all employees who will encounter PHI or SPI to undergo privacy training that is tailored to the employee’s specific responsibilities and types of contact with PHI.    New employees must be trained within 60 days of hiring, and training must be repeated at least once every two years.    A log must be maintained with employee signatures verifying their attendance.    Physicians can prepare by updating employee training policies and materials.

Physicians should also consider purchasing cyber liability insurance (or increasing current liability limits) and consulting with their Regional Extension Center, such as the North Texas Regional Extension Center (NTREC), about assistance with security risk analysis and management.

More on other HB 300 provisions next week...

cook children's


New Texas Privacy Law Places More Accountability on Business Associates of Physician Practices

As discussed in my post "New Texas Privacy Law Increases Privacy Protections and Physician Cyber Liability Risks", House Bill 300 (HB 300) strengthens protection of patients' electronic health information in Texas beyond HIPAA and becomes effective on September 1, 2012.   In a series of weekly blogs I am writing to illustrate some of the new protections.   I think that the most important change imposed by HB 300 is the increased accountability placed on business associates of a physician practice to adhere to the state privacy laws.  Consider this case history:

A physician practice was notified by one of their business associates (BA), a medical transcription service, that dictated patient reports were viewable on the Internet by anyone after the BA’s server was compromised.  The breach involved PHI of 1.085 individuals.  In response, the practice immediately terminated the business associate agreement (BAA) with this company and engaged another medical transcription service.  The practice contracted with forensic consultants to ensure that the cause of the compromise was found and all online traces of breached reports were removed.

HB 300 holds accountable any business in Texas that comes into contact with PHI.   This means that BAs of physician practices are accountable to HB 300 protections and HIPAA unless they have no contact with PHI.   Physicians should revise their BAAs to include language compelling BAs to comply with state and federal privacy laws.  Matters to address in a BAA include:   

  • Immediate notification to practice when BA discovers breach
  • Who notifies affected individuals?  Who bears the cost?
  • Contract termination for failure to comply with law or take "reasonable" steps to fix breach
  • BA ‘s compliance with performing security risk analysis at least annually
  • BA’s compliance with employee privacy training
  • Encryption of PHI on BA’s mobile devices or exchanged online; and other circumstances where PHI is at high risk

Physicians should also consider purchasing cyber liability insurance (or increasing current liability limits) and consulting with their Regional Extension Center, such as the North Texas Regional Extension Center (NTREC), about assistance with security risk analysis and management.

More on other HB 300 provisions next week...

cook children's


New Texas Privacy Law Increases Privacy Protections and Physician Cyber Liability Risks

Privacy protection is getting bigger in Texas.   Last year the Texas Legislature passed House Bill 300 (HB 300) heavily amending the state's Texas Medical Records Privacy Act.   These amendments increase protection of electronic personal health information (PHI) and become effective on September 1, 2012.    HB 300, along with other state privacy laws such as the Texas Identity Theft Protection Act, are more protective of patients' privacy than HIPAA.  Stronger protections translate to increased physician cyber liability risks.

I support strong protection of patients' electronic PHI through state and federal privacy laws including the imposition of fair penalties, disciplinary actions and audits that are strong enough to deter breaches of PHI.   But I am concerned that there may be low levels of awareness among physicians regarding the new state privacy requirements which increase the physician's cyber liability risks.   In the next month I know of  two physician-oriented publications that will discuss the issue, and I will present on the topic at the Texas Medical Association's TexMed 2012 Conference in Dallas, Texas, on May 18th.    Hopefully we can stimulate more conversations and actions across the state.

I suggest that physicians at least consult with their lawyer to ensure their practice is aligned with HB 300.   Specific actions a physician practice may need to take to be compliant with HB 300 include revising employee privacy training policies and materials; revising policies on patient access to their EHR; updating the Privacy Notice; revising business associate agreements; encrypting protected health information (PHI) stored on mobile devices; and encrypting PHI transported online.    Physicians should also consider purchasing cyber liability insurance (or increasing current liability limits) and consulting with their Regional Extension Center, such as the North Texas Regional Extension Center (NTREC), about assistance with security risk analysis and management.

Stay tuned for more blogs on HB 300...   

cook childrens


Keep the data collection cart behind the trailblazing horse

In today's Health IT News there is an article expressing dissappointment with the recently released proposed rules for Stage 2 of the Electronic Health Record (EHR) Incentive Program.   Some alarming viewpoints are evident in this article regarding the collection of data for use by the federal government to improve public health .

The proposed rule for Meaningful Use Stage 2 on page 13702-13703 specifically states that the purpose of Stage 2 Meaningful use is to "“encourage the use of health IT for continuous quality improvement at the point of care and the exchange of information in the most structured format possible”.    No where in the rule does it state that the primary purpose of Stage 2 Meaningful Use is to collect data for use by the federal government as is suggested by concerns expressed in this article.   Let's keep the data collection cart behind the trailblazing horse so that it does not aimlessly roll down the steepest part of the hill instead of steering toward most beneficial path.   Stage 2 objectives draw a sensible roadmap to the next planned destination where we can finally begin realizing the maximum potential value of health IT and EHRs.   We currently have the horse trotting around potholes toward the widespread adoption and successful use of EHRs, the development of robust HIE networks, the maturation of EHR product functionalities and an improved understanding of safe EHR usage.   If we fail to align Stage 2 activities with Stage 2 goals by taking unplanned shortcuts to collect and use data in hopes of improving care now, I fear the cart will crash and cripple the momentum that Stage 1 has initiated.


Healthcare Industry's Triple Strand of DNA: health IT, payment reform and patient empowerment

Earlier this month I used a genetics anology to describe the amazing progress with electronic health record (EHR) usage by physicians over the past two years (see Progress being made to splice information technology into the healthcare industry's genome in Texas).   Facilitating this progress are the EHR Incentive Program and other federal health IT initiatives that the Office of the National Coordinator for Health IT (ONC) oversees. 

Last Thursday the National Coordinator of ONC, Dr. Farzad Mostashari, took my genetics analogy one step further in his keynote speech at the HIMSS12 Annual  Conference for health IT in Las Vegas.   And I have to admit that he improved upon it.  I guess that's why he's in Washington D.C. and I'm not. 

Dr. Mostashari warned the 36,000  conference attendees that along with this continued progress there are two other societal trends to align health IT with.   He advocated for "twisting health IT to create a triple strand of DNA" with payment reform and patient empowerment. 

Health IT, payment reform and patient empowerment.  The triple strand of DNA to splice into the healthcare industry.  I like that. 

Payment reform is seriously needed to align incentives with the provision of quality care in an efficient manner.   Right now I am basically paid to "encounter" patients and to do procedures.       Although I am personally motivated to provide high quality care, the incentives are oddly there for physicians to "see more" and "do more" rather than to "see it done best".     In addition, my documentation is based on meeting reimbursement rules to make sure I get paid rather than being based on communicating a clear picture of my findings and care plan.   I absorb the extra time it takes to do both.

Consequently it is no surprise that for decades EHR vendors developed products based on episodic care.    Physician's sought out products that would help them document and get paid for patient encounters.  Documentation templates and charge capture functionalities were developed to maximize chances for reimbursement.    

The potential for EHRs to improve quality and chronic disease management is just now starting to be realized.    The ONC's health IT initiatives enacted by CMS under the HITECH portion of the 2009 Recovery Act are providing the push.   But as payment reform proceeds, whether it be value-based purchasing, accountable care or some other program, EHR vendors will be incentivized even more to shift development efforts into chronic disease management and clinical decision support that are a basis for improving patient care. 

And the third strand of DNA to splice into the healthcare industry, patient empowerment, is indeed an active and growing societal influence.  But I will have to blog about that another day...


Progress being made to splice information technology into the healthcare industry's genome in Texas

It's amazing-the progress being made to splice information technology into the health care industry's genome.   When I first dove into health IT a decade ago the use of electronic health records (EHRs) was dismal and healthcare stakeholders rarely sat at the same table with mutually beneficial, collaborative objectives in mind.   Even within the same healthcare organization it was not uncommon for individual department leaders to disrupt an integrated health IT effort in order to protect some of their department's self-interests.   Less than 5% of hospitals had implemented fully functional computerized provider order management (CPOM) systems; less than 1 in 5 physicians were using an ambulatory EHR; and less than 5% of those were fully functional EHRs.    Today the percentage of physicians and hospitals using robust EHRs is rising at a rate that was unthinkable back then.  

This progress parallels the launch of health IT initiatives established through the federal HITECH funds such as the EHR Incentive Program.   In the past two years these funds have been a catalyst here in Texas to engage diverse groups of healthcare stakeholders  to use health IT to improve quality of care.   As a result:  

  • Increasing numbers of Texas physicians are using EHRs (approaching 50%)
  • More and more hospitals are using CPOM
  • Over a dozen of community-wide health information exchanges (HIEs) are up and running
  • New health IT workforce training programs are established
  • Four regional extension centers were formed covering all geographic areas of the state and are doing a phenomenal job assisting thousands of physicians with EHR selection, implementation and meaningful use
  • Texas became the first state to have it’s HIE plan approved by ONC
  • Texas was one of the first states to stand up the Medicaid EHR incentive program making our program a model for other states
  • Texas was one of four to receive a SHARP grant
  • And Texas leads the way with the number of physicians attesting to meaningful use; Texas physicians and hospitals have received over $270 Million in EHR incentives

This rate of progress is only possible when individuals with diverse backgrounds and from different healthcare stakeholder groups are able to collaborate.  In Texas these stakeholders have demonstrated an ability to park their self-interests in order to drive forward with a common vision to improve the quality and delivery of patient care in our communities.


Snapshot of EHRs Used in Texas to Achieve Meaningful Use Gives Glimpse of Regional EHR Market Consolidation

Over 400 electronic health record (EHR) vendor products are certified by the Office of the National Coordinator of Health IT (ONC), but only a handful of them are used by a majority of the physicians in Texas who have been awarded EHR incentive payments by the Centers for Medicare and Medicaid Services (CMS) according to an ONC database released last week.

Physicians who successfully meet CMS criteria that demonstrate their “meaningful use” of an ONC-certified EHR become eligible for incentive payments up to $44,000 over 5 years under the Medicare program or $21,500 over 6 years under the Medicaid program. The ONC database includes the records of 21,697 physicians who have received EHR incentive payments so far, de-identified by physician but including the physician’s EHR product name, the physician’s state and whether payment was received through the Medicare or Medicaid programs. There are 217 EHR vendors listed as having products that had been used successfully by at least one eligible physician.

In Texas 1,585 physicians have received EHR incentive payments according to the database. Although 75 different ambulatory EHRs were used by at least one physician, only six of them were used by more than 100 physicians. These six EHRs account for 69% of the EHRs used in Texas to achieve meaningful use.    They are listed here with the number and percent of physicians using each to achieve meaningful use:

  • Epic 277 (17%)
  • eClinicalWorks 249 (15%)
  • e-MDs 177 (11%)
  • Allscripts 170 (11%)
  • Athenahealth 128 (8%)
  • NextGen 114 (7%)

The following graph displays the 25 EHRs that at least 10 Texas physicians have used to achieve meaningful use payments (click to enlarge):

EHR vendors graph

There are 50 other EHRs used by less than 10 physicians in Texas who have successfully attested for meaningful use incentive payments.   These are listed at the end of this blog.

Across the nation Epic is the early leader with over 25% of physicians using it to achieve meaningful use. The top five EHRs nationally–Epic, eClinicalWorks, Allscripts, athenahealth and Community Computer Services–are used by nearly 49% of the physicians.    The top 13 EHR vendors nationally are used by more than 75% (see list below).   There are variations in regions across the nation, though, as seen with the Texas data.

It is interesting to note in Texas that the first three of the top six EHRs used to achieve meaningful use–Epic, eClinicalWorks and e-MDs–are all private companies.   The other three are public companies–Allscripts, NextGen and athenahealth.  They all all generally have positive reputations and perennially receive a variety of “Best in KLAS” rankings.    Epic’s ambulatory EHR is used primarily by physicians affiliated with large health centers and is not currently a feasible option for many small practices in rural Texas.    Athenahealth is marketed as a web-based EHR, but the others can be web-based as well.   Although e-MDs is popular nationally, their market share in Texas benefits from their headquarters being located locally in Austin.    

In the past decade many speculated that CCHIT certification of EHRs, which is more comprehensive than the ONC-certification for meaningful use, would spur a consolidation of what is currently a disperse EHR market with hundreds of vendors supplying products.  Others felt that free market forces, with physicians in the center creating demand for EHRs that worked well, would eventually swing the pendulum toward consolidation.   It is still early, but the data set in the ONC database gives a provocative glimpse at the EHR market forces in play today.  There is clearly some consolidation around a small number of EHR products after the first year of the CMS EHR Incentive Program.    I suspect physician demand for EHRs that simplify their ability to receive incentive payments will continue to play a significant role in swinging the EHR market pendulum towards consolidation over the next decade. 

 

Additional data:

The top 13 EHRs used by physicians nationally for EHR incentive payments were:

#Providers         Vendor Name

6330                     Epic Systems Corporation

1847                    eClinicalWorks LLC

1502                    Allscripts

1158                    athenahealth, Inc

999                      Community Computer Service, Inc.

921                       GE Healthcare

899                      NextGen Healthcare

770                      e-MDs, Inc.

712                     Greenway Medical Technologies, Inc.

567                     Cerner Corporation

565                     Sage

397                     BioMedix Vascular Solutions

252                     AmazingCharts.com, Inc.

 

The following 50 vendors had less than ten physicians in Texas using them to achieve meaningful use incentive payments:

Meditab Software, Inc.

HealthFusion

Pulse Systems

Altos Solutions, Inc.

Integrated Health Care Solutions

MED3000, Inc

Waiting Room Solutions

BizMatics Inc

Compulink

Crystal Practice Management

digiChart, Inc.

NexTech Systems Inc.

American Medical Software

ICANotes, LLC

MicroFour, Inc.

Prime Clinical Systems, Inc.

ADP AdvancedMD

Altapoint Data Systems, LLC

Ingenix

Intivia, Inc.

MedPlus, A Quest Diagnostics Company

MTBC (Medical Transcription Billing Corporation)

Nuesoft Technologies, Inc.

Spring Medical Systems, Inc.

SuiteMed

UnisonCare Corporation

AllegianceMD Software, Inc.

Cerner Corporation

CodoniX

CureMD Corporation

Data Strategies, Inc.

DoctorsPartner, LLC.

DrChrono.com Inc.

DrFirst

EMRlogic Systems

Encite, Inc.

Exemplo Medical LLC

E-Z BIS, Inc.

gMed, Inc.

Health IT Services Group

Insight Software, LLC

Medical Office Online, Inc.

MedInformatix, Inc

MedLink International, Inc

Medrium Inc.

Midwest Software, LLC

MPN Software Systems, Inc.

Net Health Systems, Inc.

Sammy Systems

WellCentive