Tag Archives: electronic medical records

Workers’ Compensation Comes of Age

With close to $40 billion in net written premium, the workers’ compensation line of business is an important driver of financial success for many property/casualty insurers. It has come a long way since its inception roughly 100 years ago. 

As we move forward into the second century of workers’ compensation, it’s possible to anticipate many of the challenges (and opportunities) that are coming. What follows is a checklist of areas to watch.

CLAIMS FREQUENCY—Many aspects of the U.S. economy should help keep claims frequency flat or negative in the near future, including:

An increasing underground economy

In April, Mark Koba, a senior editor at CNBC, chronicled the growth of a large shadow economy of workers who, because they are unable to find regular employment, are taking jobs under the table with no reportable income or taxes. Since these workers have no workers’ compensation insurance protection, medical costs may shift from the workers’ compensation system to the health care system. With some estimates showing construction employment at just 75 percent of 2007 levels, it’s possible that a portion of these jobs are being filled by under-the-table workers. If that’s the case, these traditional higher-frequency classes may not show up as heavily in the industry’s calculations as they have in the past—moderating frequency trends going forward.

Growth in Social Security disability payments

Also in April, CNN Money reported a 29% increase in the number of Americans with little or no employment income who receive disability payments. For those who were formerly employed, the increase was a staggering 44%. In 2011, according to the CNN report, the federal government spent almost $250 billion on disability payments to some 23 million Americans. Although this is a ballooning liability for the federal government, the impact on workers’ compensation insurers is largely in the opposite direction. As workers who are less than healthy exit the workforce, the remaining pool of healthier workers will lead to claims frequency decreases in the future.

Expansion of other state and federal backstops

Since the recession began, there’s been a dramatic increase in federal and state assistance. A March article that appeared on the MoneyNews website reported that the number of food stamp recipients reached a record high in 2012, with an average of 46.6 million people receiving food stamp benefits each month. According to Supplemental Nutrition Assistance Program (SNAP) data, total food stamp benefits increased from $30.4 billion in 2007 to $74.6 billion in 2012, a 145% increase. As state unemployment benefits and other backstop programs cover more people for longer periods, the pool of future workers’ compensation claimants likely to file claims shrinks. When individuals leverage government backstop programs and choose not to work, workers’ compensation insurers benefit.

Older workers not retiring

People are working longer. For the manufacturing industries, this most likely means a dramatic reduction in the number of new employees entering the workforce. Although older workers have higher claims severity, new workers have significantly higher claims frequency.

Workplace health and safety efforts

The risk management and environmental, health, and safety departments of companies continue to focus on enhancing return-to-work programs, promoting workplace wellness, and improving workplace safety. These efforts continue to bear fruit, especially as the workforce ages and the adverse impacts of obesity receive more attention.

Part-time to full-time bias on frequency

Workers’ compensation frequency is often calculated as a ratio of the number of lost-time claims per an adjusted payroll amount. To the extent that recent payroll increases have been driven by more part-time workers converting to full-time work, the doubling of exposure for current workers isn’t the same as doubling the number of workers. In the short term, a heavier reliance on existing employees working longer hours very likely will help make frequency statistics look better. This trend could reverse if smaller employers keep their head count under 50 employees or reduce employee hours to part time (under 30 hours) to mitigate the impact of the employer mandate in the Affordable Care Act (ACA). Newly added part-time workers are likely to bring higher claim frequency, while workers taken below the 30-hour threshold to avoid employer-mandated health care might have an increased incentive to shift claims to workers’ compensation.

SEVERITY—A number of coalescing factors could drive medical and indemnity severity higher in the years ahead, including:

Rising interest rates

With the Federal Reserve finally winding down its quantitative easing programs, interest rates will be heading higher. To the degree that this coincides with an improving economy, indemnity severity is likely to tick up with rising wage pressure. Medical severity, which historically has run at roughly double the medical consumer price index, is likely to rise from the 3% levels we are experiencing today. Severity trends in the 6% to 7% range may be manageable in light of today’s rate increases, but it will be difficult to expand profit margins over the long term if medical inflation returns to double-digit levels.

Claims predictive modeling

Companies increasingly are using advanced analytics to identify claims for triage as early as the first notice of loss. By identifying the highest severity claims, assigning the appropriate resources for triage, and doing a better job on referrals from special investigative units, companies are favorably affecting the duration and severity of claims.

Obesity

The obesity statistics are staggering. The Centers for Disease Control and Prevention (CDC) estimates that in 2010, 36% of Americans age 20 or older were obese. The Robert Wood Johnson Foundation in a 2012 report predicted that obesity rates for adults over the next 20 years would reach or exceed 44% in every state in the United States, and exceed 60% in 13 of those states. Recent NCCI studies show that the ratio in the medical costs per claim of obese to nonobese claimants at the end of five years is 5.3, and the duration of obese claimants is five times that of nonobese claimants. Given the fact that workers of all ages are struggling with maintaining a healthy weight, workers’ compensation costs will only increase as other comorbidities associated with obesity increase costs.

An aging workforce

As workers age, gradual changes in hearing, vision, strength, and balance may lead to increased probabilities and durations of workplace injuries, including sprains, strains, slips and falls, carpal tunnel syndrome, knee and shoulder problems, hip replacements, and back issues. A 2012 NCCI study, however, concluded that an aging workforce appears to have far less of a negative impact on workers’ compensation claims costs than was previously thought. Although there’s evidence that injured workers older than 35 years have higher costs than those younger than 35, costs associated with injured worker cohorts older than 35 tend to be quite similar. And while older workers have more costly injuries, the NCCI observed that such injuries are becoming more prominent in younger workers.

While the NCCI has presented conflicting data on the claim costs of older workers, we know that the number of older workers in the workforce will nearly double in the next 15 to 20 years. The U.S. Department of Health and Human Services estimates that the 39.6 million persons age 65 years or older today will increase to roughly 72.1 million by 2030. That equates to roughly one in every five Americans being 65 or older. While the jury is out on the precise impact of an aging workforce on claim frequency and severity, an aging workforce increases the likelihood of more severe injuries and longer claim durations.

LONG-TERM TRENDS—On the plus side, several trends are emerging that could benefit workers’ compensation insurers in the long run, including:

Price transparency

When the Surgery Center of Oklahoma in Oklahoma City started posting its prices online four years ago, it forced competing area hospitals to follow suit. Although it will take time to catch hold across the country, greater price transparency in the delivery of health care could benefit workers’ compensation insurers. Running counter to this trend is the pace of consolidation in health care. The ACA, with its focus on accountable care organizations (ACOs), electronic medical records, and other coordination-of-care rewards, is fueling consolidation in health care at an unprecedented rate. With increased consolidation comes increased local pricing power, and workers’ compensation insurers could find themselves on the wrong end of that pricing pendulum.

Opioid use

The epidemic of opioid abuse that had swept the nation is finally starting to abate. State governors, attorneys general, and legislatures are passing laws to toughen criminal and administrative penalties for doctors and clinics, establishing standards of care for doctors who prescribe narcotics, increasing the reporting and tracking of prescriptions, and limiting reimbursements to physicians who dispense prescription drugs to no more than a certain percentage above cost. State agencies, local agencies, and the U.S. Drug Enforcement Administration also are aggressively prosecuting individuals involved in illegal prescribing activity and “pill mills,” causing physicians, nurse practitioners, and pharmacies to surrender their federal licenses to dispense controlled substances. In the most serious cases, the offenders have had to surrender their medical licenses to state medical/pharmacy boards. Physicians and medical boards also have developed resources to guide physicians on responsible opioid prescribing, and there’s been a rise in the number of physicians who have had their licenses suspended by state medical boards for the unlawful distribution of controlled substances and for prescription drug fraud. Organizations like the Federation of State Medical Boards and Physicians for Responsible Opioid Prescribing also have joined the fight.

Given the high-profile nature of these efforts to define the proper use of opioids in treating injured workers, it’s likely the workers’ compensation line will see an effect. With medical expenses exceeding 60% of workers’ compensation costs, 20% of that going toward prescription drugs, this would be a welcome development.

Medical tourism

Medical tourism continues to grow as an option for patients all across America. An airline magazine recently had advertisements from hospitals outside the United States showing savings of 50% to 80% on procedures such as knee and hip replacements that are common in workers’ compensation. The general cost in the United States for a knee replacement was shown at $34,000, versus the overseas cost of just $10,000. A hip replacement was listed as $35,000 versus the overseas cost of just $11,000. Even with the cost of airfare, transportation, and hotel accommodations, the potential savings are significant (acknowledging that we aren’t attempting to control for quality or safety differences). With several companies and health insurers investigating offering medical tourism options to their employees and insureds, there could come a day when workers’ compensation insurers could leverage these tremendous savings to help drive down severity for certain procedures. While businesses may welcome the cost savings, we recognize that persuading state legislatures and injured workers to agree to these practices could be difficult.

The ACA

Several economist and workers’ compensation industry stakeholders have predicted that the ACA will create shifts in the workers’ compensation industry. But exactly how isn’t clear. Many refer to the Massachusetts Health Care Reform Act to bolster the argument that the ACA will lower overall health care costs and workers’ compensation costs. Under Massachusetts health care reform, costs within the workers’ compensation system decreased. Although ACA is more complex, similar provisions in the two laws allow a comparison of the impact on the workers’ compensation system. Analysis by RAND in 2012 found that expanding coverage to previously uninsured individuals resulted in a drop in workers’ compensation costs in Massachusetts. Finding an association between being insured and the frequency of workers’ compensation claims, RAND concluded that expanding the population holding group health insurance could reduce cost shifting to workers’ compensation.

In a May blog posting, Joe Paduda, a principal at Health Strategy Associates, affirmed his belief that the overall effect of the ACA on workers’ compensation would be positive, citing among other things, that it would lessen the motivation for cost shifting and fraudulent claims. Others have argued that increasing access to care and expanding preventive services, coupled with employer-sponsored wellness initiatives, should make the working population healthier overall, leading to a reduction in claim frequency and faster recoveries when injuries do occur.

On the other hand, some speculate that the ACA will increase workers’ compensation costs over time by straining already scarce primary care resources and causing longer wait times for treatment. The projected shortage of primary care physicians could make it more difficult for injured workers to find a physician. This, in turn, could lead to increased costs because of extended disability durations while waiting to see a physician. Others have pointed out that a decreasing supply of physicians and increasing patient demand could drive costs higher. Other factors that could affect cost shifting are significant increases in copayments and high-deductible health plans—costs that employees must bear. This could motivate some employees to file workers’ compensation claims for nonoccupational injuries.

According to findings from a recent study by Assured Research, a connection between increased health insurance coverage and decreased workers’ compensation costs isn’t supported by the data. The study evaluated health insurance penetration rates by state from 1999 to 2011 and corresponding statewide workers’ compensation loss ratios. After adjusting for national workers’ compensation trends, the results showed 31 states with rising health care penetration that resulted in decreased loss ratios. On the other hand, 20 states with rising health care penetration experienced increased loss ratios.

Immigration reform

There are approximately 11 million undocumented people living in the United States. Many don’t file workers’ compensation claims for fear of being deported. The general consensus is that legalizing undocumented immigrants will increase workers’ compensation claims. At the same time, immigrant workers are more prevalent in high-risk sectors such as agriculture, construction, and landscaping. With an influx of workers into a high-risk injury class, the potential impact on frequency and severity in the workers’ compensation system can’t be overlooked.

Anticipate and Plan

British Prime Minister Benjamin Disraeli once quipped, “What we anticipate seldom occurs, what we least expect generally happens.” Still, it’s important to anticipate and plan for the future risk. There’s little doubt that change is looming for workers’ compensation insurers and that actuaries have a key role to play in identifying and managing the transformation.

Authors

Denise Gillen-Algire and Kevin Bingham collaborated with Bill Van Dyke and William Wilt in writing this article.

Bill Van Dyke, an associate of the Casualty Actuarial Society and a member of the Academy, is a specialist leader at Deloitte Consulting LLP in Hartford, Conn. He has extensive actuarial experience in managing and performing workers’ compensation unpaid claim reserve and pricing analyses for state funds, insurers, reinsurers, state agencies, municipalities, self-insured corporations, and captives.

William Wilt, a fellow of the Casualty Actuarial Society, is president of Assured Research, a research and advisory firm focused on property/casualty insurance. Prior to forming Assured, he held diverse roles as an actuary, as a credit and equity analyst, and in corporate development.

This article first appeared in the November | December 2013 issue of Contingencies Magazine and is © 2013 American Academy of Actuaries. Reprinted with the permission of the American Academy of Actuaries.  All Rights Reserved.

Medical Identity Theft And Fraud

Medical identity theft (MIDT) is a crime that has profound consequences for patients, insurance providers, and health care providers. The definition of medical identity theft is the fraudulent use of an individual’s personally identifiable information (PII), such as name, Social Security number, and/or medical insurance identity number to obtain medical goods or services, or to fraudulently bill for medical goods or services using an unlawfully obtained medical identity. Unfortunately, the definition of medical identity theft and the consequences that are associated with the crime are not common knowledge to the general public.

A recent study conducted by Harris Interactive on behalf of Nationwide Insurance found that only one in six (~15%) of insured adults say they are familiar or very familiar with the term “medical identity theft.” Of the 15% that professed familiarity with the term, only 38% could correctly define what a medical identity was (Medical ID Theft Study 4). Unfortunately, this lack of widespread understanding of medical identity theft by consumers is part of the problem and it is costing consumers, insurers, and healthcare providers alike.

According to the most recent Ponemon Institute Research Report, 1.85 million Americans were affected by medical identity theft in 2012. This is a dramatic increase from the 1.49 million affected by medical identity theft in 2011, amounting to an almost 25% increase in just one year (Third Annual Survey 1). This rate of growth has the potential to explode due to several reasons. First, The Affordable Care Act is estimated to reduce the number of uninsured by approximately 30 million (Insurance Coverage Provisions 13), drastically increasing the number of insurers and insured patients that are targets for medical identity theft. Second, HIPAA policies and new rules under HITECH are increasing the use of electronic health records (EHRs) which can be vulnerable to data hackers. And lastly, the data hackers themselves are more sophisticated and cognizant of ways to profit off of personal data than ever before. All these factors combined pose a very serious dilemma in controlling the rate of growth for medical identity theft. Ponemon estimates that the cost of medical identity theft to consumers in 2012 was approximately $41 billion (Third Annual Survey 1). This does not include the untold cost borne by healthcare and insurance providers. We cannot afford the cost of letting this crime grow.

In order to minimize the effects of medical identity theft we must better understand the nature of medical identity theft. The Identity Theft Resource Center (ITRC) knows it is important to assess how consumers’ identities are stolen, how they find out they have fallen victim to this crime, and how difficult it is to resolve once discovered. The Identity Theft Resource Center believes this information can be used to educate and make aware the general public as to what medical identity theft is and how they can minimize their risk or mitigate the cost once they become a victim.

Looking at how medical identity theft victims discover they have fallen victim to this crime is crucial in determining what can be done to discover medical identity theft sooner to avoid increased expenses and instances of fraud. The 2012 Ponemon report found that the most common way (39%) people discover they have become victims of identity theft is by receiving collection letters for delinquent bills. This is bad news as this means the costs for the fraudulent services worked their way through the providers’ billing systems and languished there until they were forwarded to collection departments or agencies. In the time it took for the bill to make it to the collection department or agency, the imposter could have committed many more instances of fraud in different locations. The second most common method of discovery (32%) was by noticing mistakes in their health records, tipping them off to the medical identity theft. This is also bad news as mistakes in health records can have catastrophic consequences which can be fatal.

Fortunately, the third most common method (26%) of discovering identity theft was by victims noticing suspicious postings to a statement or invoice, such as an Explanation of Benefits statement. This is very good news as this usually means the victim is discovering their medical identity theft as early as possible. The earlier the victim notices the crime, the more likely they may avoid damage to their credit score, stop future abuse of their medical identity, and reduce the amount of time and money spent to rectify the issue. This statistic is even more interesting when compared to the previous two years of the Ponemon study, where only 9% of participants indicated that they discovered their medical identity theft via suspicious statements of invoices. This is a promising example of how educating and making consumers aware of medical identity theft can make a big difference in helping reduce the incidence of medical identity theft and its costs as a whole.

Looking into the mitigation process victims are confronted with after they discover their medical identity theft reveals the costs and trouble they have to go through to clear their names. There are two distinct objectives when mitigating medical identity theft. First, the victim must deal with an individual incident such as a thief receiving medical care under the victim’s name and the associated fiscal impact the crime imposes. Second, the victim must now deal with the task of “curing” themselves of medical identity theft, insuring that their medical identity is not abused again in the future. This second objective is extremely difficult and contributes to the devastating nature of medical identity theft.

Regarding the first objective, the process for rectifying an individual incident of medical identity theft is complicated and drawn out. The victim must immediately contact the medical records and billing departments of the healthcare provider that provided the services to the imposter, request their medical records, and inform the provider that they are not responsible for the fraudulent bills. Upon learning that there may be fraudulent information in the victim’s medical record, the healthcare provider may deny the victim access to their medical record for fear of violating the Health Insurance Portability and Accountability Act (HIPAA). HIPAA protects the privacy of patients’ medical records making healthcare providers worry that they may be violating the imposter’s privacy rights by releasing the medical record to the victim. Oftentimes, the healthcare provider does not know for a fact that the fraudulent information in the medical record was a result of medical identity theft and cannot rule out that it may simply have been an accidental mixing of two patients’ records. Regardless of the situation, the healthcare provider is afraid of incurring liability under HIPAA for releasing confidential medical information even if it is under the victim’s name. The victim may have to appeal the decision in order to be able to view their records.

In one case, a medical identity theft victim was charged for bills related to the alleged amputation of one of her feet. Luckily, this was easily refutable as she would simply show the hospital billing department that she still has her two feet. Unfortunately, the imposter also had diabetes which prompted a physician, during a subsequent hospitalization, to ask the victim what medications she was taking to treat her diabetes. Note, the victim has never had the disease (Menn). This case demonstrates how frustrating correcting medical records can be and reminds us how dangerous medical identity theft is to the victim.

It is also recommended that victims file a police report and submit a copy of the report to healthcare providers as it will usually help streamline the process. It is important for victims to note that medical identity theft, like any other form of identity theft, is a crime police are required to provide a police report for in most states. Once the incorrect information is identified, the victim must request that the healthcare provider either remove the information or at least flag it should the provider be reluctant to permanently remove it. After correcting the records at the location the imposter received medical services, the victim will then have to request an accounting of disclosures listing all the entities to which the healthcare provider sent the victim’s fraudulent records. The victim must repeat this procedure at each location that has their fraudulent medical record. All of this creates mountains of work for healthcare providers, insurers, and the victims themselves which increases costs in the medical industry for everyone involved.

The second and more difficult objective, “curing” oneself of medical identity theft, does not have a set solution. The problem stems from the decentralized structure of the medical data system. Every healthcare provider, pharmacy, and insurer has its own records and records system. In contrast, the financial industry has three major credit reporting agencies through which almost all financial credit information is processed. Therefore, when you have suffered financial identity theft, a great way to mitigate future instances of fraud is to place a credit freeze with all three credit reporting agencies so that identity thieves cannot abuse your credit again. There is no such central medical record agency for medical records. Thus, it is possible for a medical identity thief to commit fraud with the same medical identity over and over again in multiple locations around the country. The victim will have to go through the individual incident mitigation process every time and just hope that the identity thief will stop using their medical identity.

Since there is no way to get ahead of the thief and prevent the medical fraud from occurring, the best way to mitigate the costs and effects of medical identity theft is for the victim to be vigilant and confront each instance of fraud as soon as possible in order to reduce the amount of wasted time and costs. This repetitive cycle is exhausting and costly for the victim as well as healthcare providers and insurers. In all three years Ponemon has conducted this survey, the number of victims who said they had completely resolved their medical identity theft never exceeded 11% (Third Annual Survey 11). This is an ongoing problem that does not yet have a solution, but it is imperative for all stakeholders to be involved.

All of this information points us to the realization that medical identity theft is a costly and potentially dangerous crime that is incredibly difficult to resolve. To make matters worse, medical identity theft often goes undiscovered for long periods of time and only becomes more detrimental and difficult to resolve the longer it goes undetected.

The Identity Theft Resource Center proposes that one of the best methods of reducing medical identity theft and the costs associated with it is an educated and aware consumer population. To make this point, it is useful to separate out the causes of identity theft listed in the Ponemon report into two groups. The first group includes causes of identity theft that victims have no control over: healthcare provider used identification to conduct fraudulent billing (22%), malicious employee in the health provider’s office stole health information (7%), and the healthcare provider, insurer or other related organization had a data breach (6%). In total, 35% of the causes of identity theft cannot be affected by actions of the consumer. The second group consists of causes of identity theft that a consumer does have a degree of control over: family member took personal identification credentials without my knowledge (35%), mailed statement or invoice was intercepted by the criminal (6%), lost a wallet containing personal identification credentials (5%), and a phishing attack by criminal who obtained personal identification credentials (4%). Thus, the total of causes of medical identity theft that can be affected by actions of the consumer is 50%. It should be noted that 15% of the participants still did not know how they had their medical identity stolen.

Looking at the numbers above, it is clear that the consumers themselves can have the largest impact in reducing the number of medical identity theft cases and the severity of the cases that still occur. Not only do the consumers themselves have the best ability to reduce the risk of medical identity theft happening to them, they are the only people that can reduce the severity of the crime when it does happen. The Identity Theft Resource Center has long understood the ramifications of medical identity theft on the consumer population as well as the medical industry itself. We know that educating the consumer population can be cost-effective and powerful.

The Identity Theft Resource Center is a founding organization of the Medical Identity Fraud Alliance, the first public/private sector-coordinated effort with a focused agenda that unites all the stakeholders to jointly develop solutions and best practices for medical identity fraud. We encourage all industry stakeholders to join so that we can work together in galvanizing the consumer population into becoming the most effective weapon yet against medical identity theft.

How Consumers Can Minimize Their Risk Of Medical Identity Theft

  • Review Explanation of Benefit statements as soon as you receive them as they may detail medical services that you never received.
  • Review your credit reports multiple times a year to see if any fraudulent accounts have been opened in your name, or if any medical bills have been reported as unpaid.
  • Be aware of phishing emails. These emails are designed to look like they are official communications from either a healthcare provider or insurer and ask for personal information such as a Social Security number, insurance policy number, or other information used to commit medical fraud in your name.
  • Do not open attachments in emails from people you are not familiar with as it may have a virus or program to steal information from your computer.
  • Use a Virtual Private Network when using the Internet outside of your home as this will encrypt your signal from your mobile device or laptop.
  • Do not carry your Medicare card, Social Security card, or certain military identification as these have your Social Security number on them. Should you lose your wallet or purse or have it stolen, this information would be extremely valuable to a medical identity thief.
  • Shred or safeguard any documents with personally identifiable information by either locking them in a safe hidden in the home or by storing them on an encrypted thumb drive and deleting them off your computer. Sensitive documents with PII include:
    • Tax preparation papers
    • Explanation of Benefits statements
    • Medical Bills or Records
    • Bank Statements
    • Passport
    • Medicare, Social Security, or military identification card

References
Nationwide Mutual Insurance Company. “Medical ID Theft Study Results.” March 2012. Print.

Ponemon Institute. “Third Annual Survey on Medical Identity Theft.” June 2012. Print.

Congressional Budget Office. Estimates for the Insurance Coverage Provisions of the Affordable Care Act Updated for the Recent Supreme Court Decision. U.S. Government Printing Office. July 2012. 13 December 2012. http://www.cbo.gov/sites/default/files/cbofiles/attachments/43472-07-24-2012-CoverageEstimates.pdf

Menn, Joseph. “ID Theft Infects Medical Records.” Los Angeles Times. 25 Sept. 2006. N.pag. Web. 20 Dec. 2012

OCR Nails Hospice For $50K In First HIPAA Breach Settlement Involving Small Data Breach

Properly encrypt and protected electronic protected health information (ePHI) on laptops and in other mediums!

That’s the clear message of the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) in its announcement of its first settlement under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule involving a breach of ePHI of fewer than 500 individuals by a HIPAA-covered entity, Hospice of North Idaho (HONI).

The settlement shows that the Office of Civil Rights stands ready to penalize these healthcare providers, health plans, healthcare clearinghouses and their business associates (covered entities) when their failure to properly secure and protect ePHI on laptops or in other systems results in a breach of ePHI even when the breach affects fewer than 500 individuals.

HIPAA Security & Breach Notification For ePHI
Under the originally enacted requirements of HIPAA, covered entities and their business associates are required to restrict the use, access and disclosure of protected health information and establish and administer various other policies and safeguards in relation to protected health information. Additionally, the Security Rules require specific encryption and other safeguards when covered entities collect, create, use, access, retain or disclose ePHI.

The Health Information Technology for Economic and Clinical Health (HITECH) Act amended HIPAA, among other things to tighten certain HIPAA requirements, expand its provisions to directly apply to business associates, as well as covered entities and to impose specific breach notification requirements. The HITECH Act Breach Notification Rule requires covered entities to report an impermissible use or disclosure of protected health information, or a “breach,” of 500 individuals or more (Large Breach) to the Secretary of HHS and the media within 60 days after the discovery of the breach. Smaller breaches affecting less than 500 individuals (Small Breach) must be reported to the Secretary on an annual basis.

Since the Breach Notification Rule took effect, the Office of Civil Rights’ announced policy has been to investigate all Large Breaches and such investigations have resulted in settlements or other corrective action in relation to various Large Breaches. Until now, however, the Office of Civil Rights has not made public any resolution agreements requiring settlement payments involving any Small Breaches.

Hospice Of North Idaho Settlement
On January 2, 2013, the Office of Civil Rights announced that Hospice of North Idaho will pay the Office of Civil Rights $50,000 to settle potential HIPAA violations that occurred in connection with the theft of an unencrypted laptop computer containing ePHI. The Hospice of North Idaho settlement is the first settlement involving a breach of ePHI affecting fewer than 500 individuals. Read the full HONI Resolution Agreement here.

The Office of Civil Rights opened an investigation after Hospice of North Idaho reported to the Department of Health and Human Services that an unencrypted laptop computer containing ePHI of 441 patients had been stolen in June 2010. Hospice of North Idaho team members regularly use laptops containing ePHI in their field work.

Over the course of the investigation, the Office of Civil Rights discovered that Hospice of North Idaho had not conducted a risk analysis to safeguard ePHI or have in place policies or procedures to address mobile device security as required by the HIPAA Security Rule. Since the June 2010 theft, Hospice of North Idaho has taken extensive additional steps to improve their HIPAA Privacy and Security compliance program.

Enforcement Actions Highlight Growing HIPAA Exposures For Covered Entities
While the Hospice of North Idaho settlement marks the first settlement on a small breach, this is not the first time the Office of Civil Rights has sought sanctions against a covered entity for data breaches involving the loss or theft of unencrypted data on a laptop, storage device or other computer device. In fact, the Office of Civil Rights’ first resolution agreement — reached before the enactment of the HIPAA Breach Notification Rules — stemmed from such a breach (see Providence To Pay $100000 & Implement Other Safeguards).

Breaches resulting from the loss or theft of unencrypted ePHI on mobile or other computer devices or systems has been a common basis of investigation and sanctions since that time, particularly since the Breach Notification rules took effect. See, e.g., OCR Hits Alaska Medicaid For $1.7M+ For HIPAA Security Breach. Coupled with statements by the Office of Civil Rights about its intolerance, the Hospice of North Idaho and other settlements provide a strong warning to covered entities to properly encrypt ePHI on mobile and other devices.

Furthermore, the Hospice of North Idaho settlement also adds to growing evidence of the growing exposures that health care providers, health plans, health care clearinghouses and their business associates need to carefully and appropriately manage their HIPAA encryption and other Privacy and Security responsibilities. See OCR Audit Program Kickoff Further Heats HIPAA Privacy Risks; $1.5 Million HIPAA Settlement Reached To Resolve 1st OCR Enforcement Action Prompted By HITECH Act Breach Report; and, HIPAA Heats Up: HITECH Act Changes Take Effect & OCR Begins Posting Names, Other Details Of Unsecured PHI Breach Reports On Website. Covered entities are urged to heed these warnings by strengthening their HIPAA compliance and adopting other suitable safeguards to minimize HIPAA exposures.

Office of Civil Rights Director Leon Rodriguez, in OCR’s announcement of the Hospice of North Idaho settlement, reiterated the Office of Civil Rights’ expectation that covered entities will properly encrypt ePHI on mobile or other devices. “This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information.” said Rodriguez. “Encryption is an easy method for making lost information unusable, unreadable and undecipherable.”

In the face of rising enforcement and fines, the Office of Civil Rights’ initiation of HIPAA audits and other recent developments, covered entities and their business associates should tighten privacy policies, breach and other monitoring, training and other practices to reduce potential HIPAA exposures in light of recently tightened requirements and new enforcement risks.

In response to these expanding exposures, all covered entities and their business associates should review critically and carefully the adequacy of their current HIPAA Privacy and Security compliance policies, monitoring, training, breach notification and other practices taking into consideration the Office of Civil Rights’ investigation and enforcement actions, emerging litigation and other enforcement data, their own and reports of other security and privacy breaches and near misses, and other developments to determine if additional steps are necessary or advisable.

New Office Of Civil Rights HIPAA Mobile Device Educational Tool
While the Office of Civil Rights’ enforcement of HIPAA has significantly increased, compliance and enforcement of the encryption and other Security Rule requirements of HIPAA are a special focus of the Office of Civil Rights.

To further promote compliance with the Breach Notification Rule as it relates to ePHI on mobile devices, the Office of Civil Rights and the HHS Office of the National Coordinator for Health Information Technology (ONC) recently kicked off a new educational initiative, Mobile Devices: Know the RISKS. Take the STEPS. PROTECT and SECURE Health Information. The program offers health care providers and organizations practical tips on ways to protect their patients’ health information when using mobile devices such as laptops, tablets, and smartphones. For more information, see here.

For more information on HIPAA compliance and risk management tips, see here.

Everything That Ails Our Healthcare System … Squeezed Into One 12-Minute Doctor Visit

A few weeks ago I taped the first episode of my new public radio show. I thought I sounded good enough, and the producer assured me that I would sound even better after I got over my cold. This would have been reassuring, except that I didn’t have a cold.

Fearful of being fired my first day on the job, I immediately called my primary care physician (PCP) to get some advice on how to sound less hoarse. The doctor’s office promptly scheduled a visit with an Ear, Nose & Throat specialist, only four days later.

The specialist scoped my nose and announced that I had polyps in my sinuses. She said she would schedule me for a CT scan of the sinuses, and offered three alternative treatments, which, she added truthfully, may or may not work.

  1. Steroid-based nasal spray
  2. Steroid-based nasal spray with a three-week course of antibiotics
  3. Day surgery followed by a saline flush for a week

“So,” she asked, about seven minutes into the appointment, “which do you want to do?”

“Um,” I replied. “Shouldn’t we try the most conservative therapy first?”

“Well, you could.”

I begged off the surgery by quite correctly observing that I wasn’t very adept at flushing my nose out, so that I would prefer one of the non-surgical alternatives. “I’m not sure I need the antibiotics because I don’t think this is bacterial,” I said.

“A lot of patients report relief with the antibiotics,” she replied, almost as if she were cast as the “before” picture in an evidence-based medicine textbook.

“Isn’t three weeks a long time to be taking antibiotics?” I asked.

“Yes. Some people say that.”

I opted for the nasal spray. I elected not to schedule the sinus CT scan. Seemed like a lot of cost and inconvenience … and didn’t I just get a diagnosis anyway? So I didn’t follow up on it.

Except that the sinus scan was thoughtfully scheduled for me, as I learned when a scheduler called me the very same day. I ignored my first voicemail from the scheduler, but after the third I realized they really did expect me to show up (that very Friday, no less), and it occurred to me I might get billed unless I affirmatively called to cancel the appointment.

And, that is what is wrong with fee-for-service medicine. Most well-insured people would have gone along with the recommended program, getting the scan, the surgery, and who knows what else.

The bottom line is, in twelve short minutes, this visit encapsulated everything that is wrong with traditional fee-for-service medicine, of the type that someday, with any luck, is going to be replaced by capitated ACOs using patient-centered medical homes, supported by electronic medical records (EMRs), to refer to salaried specialists who don’t get to bill a big chunk of money each time they do a surgery.

Except that this practice is already a designated patient-centered medical home, it already uses an EMR, it is already partially capitated by its major health plan, and its specialists are already salaried.

That is the “punchline,” and explaining a joke often ruins it, but healthcare isn’t a joke so I’ll explain.

Just changing practice incentives may not change the behavior of individual physicians, especially specialists who even in most capitated practices are/will still be paid on the basis of work performed, somehow, to some degree. (In this practice, work performed affects physician salary for the following year.)

Further, patient satisfaction also factors into compensation, and what can be more satisfying for patients than promptness and responsiveness and action? As for the checks-and-balances provided by the EMR, it turns out that the EMR is what expedited the referral in the first place. Years ago it had been noted that I had a deviated septum (like about half the world, as it turns out). That information was duly stored in my EMR, so that my primary care physician had grounds to make a referral at her fingertips, without needing me to see her first.

The coda on this story? To try to overcome this hoarseness, I took the steroidal nasal spray twice a day for a week. Then I read the FDA insert, which listed the following as a side effect: hoarseness. I stopped the spray, and told this story to my producer. My producer suggested tea with honey during each taping, surely the most conservative therapy … and I still have my job.

So domestic policy wonks in the Washington, DC market can now hear me on The Big Fix Saturdays at 4 PM on WAMU 88.5, at least through January 15, when the funding runs out. I’m still a bit hoarse, but thanks to my producer I no longer sound like that guy on Boardwalk Empire whose vocal chords were blown up during World War I.

Postscript: The first episodes have already aired, and while a few people complained, not without justification, about my hosting skills, no one wrote in to say: “This guy sounds like he needs his polyps removed.”