While about a third of U.S. hospitals reported to the Office of the Inspector General of the Department of Health and Human Services that they don’t have HIPAA-compliant EHR disaster recovery plans, most hospitals told OIG they have comprehensive plans to recover patient data after a disaster.
The OIG hospital disaster recovery survey, results of which were released July 22, came after widespread disruptions to hospital patient records after Hurricane Sandy hit the East Coast in 2012 and rapidly escalating cybersecurity threats to health data.
According to a release, OIG sent questionnaires to a sample group of 400 hospitals that receive meaningful use Medicare incentive funds asking about their EHR contingency plans, including:
- How they comply with HIPAA rules requiring all HIPAA-covered entities to have a contingency plan for disruptions to EHR systems, including maintaining a data backup plan, disaster recovery plan, emergency mode operations plan and having testing and revision procedures
- How they follow practices for emergency contingency planning recommended by the Office of the National Coordinator for Health IT (ONC) and the National Institute for Science and Technology (NIST)
- Their experience with EHR disruptions.
OIG staff also made site visits to six hospitals, where they reviewed EHR contingency plans and related documents.
Nearly all the hospitals reported having written EHR contingency plans and about two-thirds said they met the four HIPAA requirements OIG reviewed.
Most of the hospitals also said they followed ONC and NIST recommendations such as maintaining off site backed up EHR data, supplying paper backups when electronic records are unavailable and training staff on contingency plans.
More than half of the respondents said they had experienced an EHR disruption, and a quarter of those said they had delays in patient care as a result.
OIG also found that HHS’s Office for Civil Rights (OCR), which enforces HIPAA, does not specifically focus on EHRs when assessing HIPAA compliance for disaster recovery.
“Persistent and evolving threats to electronic health information reinforce the need for EHR contingency plans,” OIG concluded in the release. “This review and the cyberattacks that have occurred since 2014 underscore our previous recommendations that OCR fully implement a permanent audit program for compliance with HIPAA.”
OCR is now engaged in a second round of audits of selected healthcare organizations and their business associates.
Many observers expect these audits to be followed by a permanent audit program funded by revenues of fines levied on healthcare organizations found to have violated HIPAA.
The Centers for Medicare and Medicaid Services (CMS) is preparing to unleash some stark numbers on care quality at individual hospitals across the country.
But before CMS publishes those star ratings on specific hospitals (coming soon), it has compiled and published a statistical overview of the various rating categories – called the Overall Hospital Quality Star rating system – and where different classes of hospitals fit in.
The rating methodology takes into account 62 quality measures reported by hospitals, using EHR and other data, related to routine care patients receive when being treated for heart attacks and pneumonia as well as measures focusing on hospital-acquired infections.
Among the key measures, according to a CMS fact sheet, are:
- How often patients get an infection after surgery
- Patient wait times in the emergency department
- Rates of complications after hip replacement surgery
- Readmission rates after a heart attack
- How often patients receive multiple CT scans or MRIs
The star rating system ranges from five stars at the top of the quality range to one star at the bottom. The hospital categories include size, teaching status, safety net and critical access.
Perhaps not surprisingly, “CMS’ analysis shows that all types of hospitals have both high performing and low performing hospitals,” according to the fact sheet.
“In other words, hospitals of all types are capable of performing well on star ratings and also have opportunities for improvement,” it continued.
Of the 4,599 hospitals included in the ratings, 102, or 2.2%, received five stars. Some 934, 20.3%, got four stars. The biggest category was three stars, with 1,770, or 38.5% of the hospitals. At the low end, 723, or 15.7%, got two stars, and 133, 2.9%, were classified as one star.
About a fifth of the hospitals included in the survey did not meet and so did not receive star ratings.
Other hospital care quality information, including patient-reported measures, can be found on the CMS web site, Hospital Compare.
In the gaming world, virtual reality is a clear hit among users. Just look at the explosive success of Pokémon Go! Ok, so that’s technically augmented reality. But you catch my drift.
As it turns out, virtual reality is not only incredibly cool but also has the potential to be helpful in healthcare specifically when it comes to preparing for surgeries as well as training and educating staff.
This is already being done at the Ronald Reagan UCLA Medical Center, according to a story in the Daily Bruin, UCLA’s news website. And UCLA has also reaped other benefits from virtual reality technology. For example, they’ve already diagnosed almost 1,500 prostate cancer patients using the technology. This improved the diagnosis accuracy by more than 300%, a surgeon at the UCLA Medical Center asserted in the Daily Bruin story.
At UCLA, virtual reality technology also allows surgeons to build a three dimensional model of a patient’s anatomy based on a patient’s CT scan. Once the model is built, the injury or area of concern can be identified. Surgeons can then rehearse the surgical steps before the actual operation takes place.
Virtual reality technologies are useful for everything from treating simple injuries to conducting complex multi-organ surgery, according to the story.
And virtual reality is also useful for training and educating medical staff.
For example, by using virtual reality technologies to familiarize surgical teams with an operation before it is done not only improves teamwork but also minimizes the patient’s and the surgeon’s anxiety, the article said.
And as for educating future doctors and surgeons, Case Western Reserve University in Cleveland, Ohio, is using Microsoft HoloLens to do just that.
Although virtual reality in healthcare is promising for training and education staff as well as improving patient care and outcomes, this technology still has a ways to go.
One challenge is that medical scans of a patient’s anatomy may be too complex to be converted into a virtual reality environment for use before surgery, the article said. Furthermore, it can also be difficult to make sure that a virtual reality scenario reflects the complexities of the entire body—an interconnected network of cause and effect.
Maybe your healthcare organization has experienced a ransomware attack recently. Well, you certainly are not alone.
Ransomware attackers have mounted 4,000 daily attacks against healthcare organizations in early 2016 alone. That’s a 300% increase from the 1,000 daily ransomware attacks reported in 2015, according to a recent U.S. Government interagency report.
That number is pretty staggering.
The U.S. Department of Health and Human Services (HHS) recently published guidance on ransomware including how to know if your healthcare organization is under attack, how to recover, and how to know if HIPAA has been violated.
In general, HHS says that HIPAA compliance can help covered entities, as well as business associates, not only prevent ransomware attacks but also help them recover.
Some key indicators of a ransomware attack, according to HHS, are:
- Clicking on malicious links or file attachments
- Increased activity in the central processing unit (CPU) and disk activity for no apparent reason
- Inability to access certain files
- Detection of suspicious network communications
HHS recommends that if an entity believes a ransomware attack is underway, it should immediately activate its security incident response plan, which should include determining the scope and origination of the attack, whether the attack is finished, and how the attack occurred.
Once these initial steps have been taken, HHS recommends that a covered entity then work to contain the impact and propagation of the ransomware, and then eradicate the ransomware.
Once this is done the covered entity should mitigate vulnerabilities, restore the data lost in the attack in order to recover, and then conduct post-incident activities. These should incorporate deeper analysis of the evidence to determine whether the entity has any regulatory, contractual or other obligations as a result of the attack.
Lysa Myers, security researcher at cybersecurity firm ESET North America, said in an email that generally the guidance from HHS was good. However, “I would like to see a bit more about specific techniques and tactics to prevent malware, such as: patch or update software regularly, show hidden file-extensions, and block executable files sent in email,” she said.
(SearchHealthIT contributorReda Chouffani, in a recent story, details ten ways to stop and avoid a ransomware attack.)
Meanwhile, Myers said the government guidance will — without being an unnecessary burden — help healthcare organizations better protect themselves—against ransomware and malware, and many other types of breaches as well.
“By adding additional techniques like encrypting sensitive data when it’s stored or when it’s sent via the Internet, and using multi-factor authentication, they can significantly impact their level of risk,” Myers said.
With its levy of a $650,000 fine on a service provider of the Archdiocese of Philadelphia, the Department of Health and Human Services’ Office for Civil Rights (OCR) has entered into what appears to be its first-ever settlement with a business associate for allegedly violating the HIPAA Security Rule.
The OCR action stemmed from the 2013 theft of an iPhone from Catholic Health Care Services (CHCS), which led to the loss of protected health information (PHI) of 412 people, according to the OCR settlement and corrective action plan.
The agency provides information and technology services to nursing homes operated by the Archdiocese.
The HITECH Act of 2009 made business associates of healthcare organizations covered entities under HIPAA and subject to HIPAA’s health data privacy and security requirements just as healthcare organizations are.
Starting in 2016, OCR has begun auditing business asssociates for the first time in a formal round of audits of healthcare organizations and business associates such as companies and nonprofits that handle PHI, including billing firms and cloud providers.
After an investigation starting in 2014, OCR determined that, among other violations, CHCS failed to perform a security risk analysis and failed to put in place a security risk management plan.
“Business associates must implement the protections of the HIPAA Security Rule for the electronic protected health information they create, receive, maintain, or transmit from covered entities,” OCR Director Jocelyn Samuels said in a release. “This includes an enterprise-wide risk analysis and corresponding risk management plan, which are the cornerstones of the HIPAA Security Rule.”
Meanwhile, another PHI breach by a business associate that exposed health data of 4,300 dental patients was disclosed recently by Massachusetts General Hospital, the Boston Globe reported.
In February, Mass. General learned that an unauthorized party had gained access to electronic files stored by Patterson Dental Supply Inc., which supplies software to help manage dental practices for healthcare providers including Mass. General.
On June 29, the hospital began notifying affected patients that their PHI – including dates of birth, social security number, and possibly date and time of their dental appointments – had been exposed.
Responding to Congress’ call last year to define health IT interoperability measures that Medicare providers must meet to receive reimbursement under new value-based models, ONC has published the measures.The new measures are now part of MACRA, the Medicare Access and CHIP (Children’s Health Insurance Program) Reauthorization Act.
The measures, as detailed in an ONC blog post, are:
- “Measure 1: Proportion of health care providers who are electronically engaging in the following core domains of interoperable exchange of health information: sending; receiving; finding (querying); and integrating information received from outside sources
- Measure 2: Proportion of health care providers who report using the information they electronically receive from outside providers and sources for clinical decision-making.”
The blog post’s authors, Seth Pazinski and Taisha Searcy, of the ONC Office of Planning, Evaluation and Analysis, elaborated that the measures fulfill many commenters’ requests that they not add to providers’ reporting burdens, but rather come from existing national surveys of hospital and office-based physicians.
The surveys are the American Hospital Association’s Information Technology Supplement Survey and the Center for Disease Control and Prevention’s National Center for Health Statistics’ annual National Electronic Health Record Survey of office-based physicians. The surveys measure not only interoperability but also how physicians use other EHR functions in their daily practice.
The ONC officials also noted that commenters, in addition to being concerned about burdensome reporting, also wanted the measures’ scope broadened to include providers not eligible for the meaningful use program for EHRs, such as behavioral health providers.
Commenters also raised concerns about recognizing the complexity of measuring interoperability.
“Although the MACRA requirement for measuring interoperability largely focuses on ‘meaningful users,’ we are committed to advancing interoperability of health information more broadly,” the ONC officials wrote. “We will be expanding our measurement efforts to include populations across the care continuum in the near-term, as well as an increased focus on outcomes in the longer-term.”
Read the official statutory language here.
Most healthcare organizations — 58% of respondents to a Peer60 report—aren’t ready to adopt alternative payment models for value-based care yet, according to the report. Also, 37% of respondents said they will be adopting alternative payment models for value-based care and 5% of respondents said they will not.
This doesn’t come as much of a surprise, however, since the trend of bigger hospitals being more likely to have the resources—financial, technical, or otherwise– to pull off adopting a new payment model than smaller hospitals has stayed fairly constant, the report said. More specifically, the report found that hospitals with less than 500 beds are likely to be slow in adopting alternative payment methods.
The alternative payment methods include:
- Accountable Care Organization (ACO)
- Bundled Payments
- Full and Partial Capitation
- Comprehensive Primary Care (CPC) and CPC+
- Pay for Performance (P4P)
- Value-Based Purchasing (VBP)
The surveyors received varied responses from some of the providers that indicated they are not opting for value-based payment models.
“Some were of the opinion that doctors would be paid less than ever before due to noncompliant patients; outcomes determined primarily by patient compliance could lead to physicians cherry-picking patients whose outcomes will show higher levels of value,” the report said. “One provider even called the value-based system ‘diabolical.'”
Another provider respondent said in the report that, “metrics used by payers are not reflective of the true quality of services delivered.”
However, some hospitals across the country have already begun to adopt and use value-based care payment models. One example of this are four healthcare organizations in Massachusetts that signed on to Blue Cross Blue Shield’s value-based care model.
Although most healthcare organizations may not be ready to move over to value-based payment approaches yet, the report did find that providers are most interested in adopting a bundled payments model, which CMS says allows for greater provider adaptability and flexibility in deciding how payments are allocated.
The first day of the two-day Health IT Summit in Boston was filled with speakers and panels addressing value-based care and cybersecurity. Most of the audience at the summit, about half, were health IT professionals and administrators while the rest consisted of security and privacy professionals, and clinicians and providers, according to an informal poll done during a session at the summit.
Richard Royer, CEO of Primaris, a Missouri-based consulting firm, outlined three actions that need to be executed in order to achieve value-based care:
- Know how to optimize your EHR and the data. Technology plays an important role not only in meaningful use but also in value-based care. Adoption of EHRs has tripled in the last seven years, according to Sylvia Burwell, secretary of the Department Health and Human Services, who spoke about the issue at the Health Datapalooza conference in Washington, D.C. in May. However, Royer asserted that “simply having an EHR is not enough” when it comes to achieving value-based care.
- Know your patients. Focus on population health and care coordination. This means linking systems electronically and bringing all the players into a coordinated system. Providers have to start thinking of managing a population of patients, because that’s where the value-based reimbursement system is headed.
- Know your practice. And know how to deliver care, Royer said. In this case, providers should be making sure they are focusing on the right strategies and technologies to improve the delivery of care. If they are concentrated on the right things, he added, then the emphasis should be on “doing things right.”
Another poll taken at the summit showed that attendees were about equally divided when it comes to whether external hackers or inside threats are the greatest security risk in the near and long term.
“I don’t think there’s a difference anymore,” Julie Berry, CIO at Steward Health Care System in Boston, said on the same panel. “You can’t lock people out anymore. You have to live like they’re there already.”
The key is to figure out who has access to what data and what part of the medical record that person is touching, Erika Barber, privacy and security manager at Massachusetts General Hospital in Boston, said.
One hospital is using an application that manages patient privacy and automatically detects breaches to help them monitor who has access to what within its healthcare organization.
Health IT is so often seen as central to creating efficiencies, maximizing reimbursement and helping spur advances in medical care, that its effect on patient safety is sometimes overlooked.
But not by Andy Gettinger, M.D.
In a recent post on ONC’s blog, Gettinger, ONC’s CMIO and director of the agency’s Office of Clinical Quality and Safety, elaborates on two new ONC reports on health IT safety.
A key takeaway: “Evidence continues to indicate that health IT safety is dependent not just on EHR systems themselves, but on a complex interplay of factors, including an institution’s leadership, culture, readiness, installation practices, training and handling of upgrades.”
Gettinger also says in the post that EHR usability and interoperability are also important to improving the safe use of health IT.
The first report, on evidence on health IT safety and interventions, includes analysis of studies by the Joint Commission and Harvard University’s CRICO (Controlled Risk Insurance Company) malpractice claims database.
The Joint Commission identified 120 reports over a 3.5-year period that involved events resulting in patient harm caused by health IT issues such as user-computer interface problems, the ONC report says.
In an analysis of 248 cases in the CRICO database in 2012 and 2013 caused by health IT problems, medication issues in ambulatory care and complications from treatment were the leading cause of claims (38%), with diagnosis next at 28%, according to the report.
Among the recurring patterns with health IT systems identified by the CRICO analysis were risks from EHR conversions and updates, problems with copy-paste functionality and prepopulated data, and “incorrect assumptions that the information in the EHR was always correct and up to date.”
The second report lays out goals and priorities for healthcare organizations to improve patient safety using health IT.
It includes a summary of major federal health IT safety policies, including moves to discourage information blocking; EHR transparency initiatives; establishing a framework for vendors and users to report health IT-related deaths, injuries and unsafe conditions; and recommending that Congress set up an independent body for investigating health IT safety incidents.
Among these is the creation of a Health IT safety Collaborative under ONC to promote safe use of health IT and coordinate safety issues among developers building health IT systems.
When Cerner Corp. was chosen to take on the task of connecting the U.S. Department of Defense’s (DoD) 55 hospitals and 600 clinics, it was declared a big win for the EHR vendor.
But the DOD’s Office of the Inspector General (OIG) is recommending in an audit report that the DoD and Cerner reconsider the initial go-live date because the “mandated execution schedule may not be realistic for meeting the required initial operational capability date of December 2016.”
The OIG explained in the audit report that while the DoD Healthcare Management System Modernization program has identified risk and mitigation strategies, rushing the system into use by December may create other risks.
These include “potential delays involved in developing and testing the interfaces needed to interact with legacy systems, ensuring the system is secure against cyber attacks, and ensuring the fielded system works correctly and that users are properly trained.”
Zane Burke, president of Cerner, told SearchHealthIT in a video interview that the endeavor would not be easy.
“The use cases are both challenging and awe-striking, as you think about what those men and women are out doing serving our country, serving the nation and their need for care in very difficult, challenging settings,” Burke says in the video. “Our role is to make sure that no matter where that soldier or their family is … the electronic health record transfers with them and they have access to that.”
However, the OIG is recommending that a schedule analysis be performed and that program risks continue to be monitored.
Regardless, one industry analyst, Nancy Fabozzi, principal analyst for connected health at the Frost & Sullivan consulting firm, told SearchHealthIT that she thinks Cerner was the EHR vendor best suited for the job.
“Cerner is seen as being more interoperable and they sort of ooze efficiency,” Fabozzi said.