Tag Archives: health care industry

Using Strong Carrots And Sticks To Drive Health Care That Works

On a recent call with a large manufacturer, my company's team expected to describe how we develop primary care medical homes that become platforms for managing comprehensive health care clinical and financial risk. But the team on the other end of the phone beat us to it. Their remarks — that health care cost is a multi-headed monster that requires a broad array of simultaneously executed approaches — were a breath of fresh air.

They wanted to avoid approaches that don't work or are designed to accrue to a vendor's disproportionate financial advantage and focus instead on mechanisms that measurably improve health and reduce cost. Their conventional current clinic vendor wasn't onboard, philosophically or in terms of capabilities, and so wasn't getting results. They were looking for a replacement vendor that could help them drive more appropriate care, with clear rules for patients and providers.

Often we have to cajole clients into more aggressive actions: restructuring their benefits or their PBM formularies, redirecting care to high performing doctors or hospitals, direct contracting for advanced images or ambulatory surgeries, creating stronger incentives for approaches that are most likely to produce better results. But now we're finding more employers exhausted and eager to pursue out-of-the-box approaches that can drive more appropriate care and cost.

Since the end of World War II, when employers began offering health benefits to recruit and retain better employees, a tug-of-war has been waged over the rules of engagement. Employers want competitively healthy and productive work forces, but see health care as an unpredictable significant cost that must be managed. Employees may bristle at participating in risk assessments, or seeing certain doctors or working toward a healthier lifestyle. These may be seen as brazen invasions of privacy, as work overflowing into personal life, as constraints on patients' abilities to obtain quality care.

Until now, most employers have been reluctant to be too dictatorial. But the financial threats of relentlessly surging cost — 4.5 times general inflation for more than a decade — and overwhelming evidence of industry excess have been impossible to ignore, fueling a focus on using strong carrots and sticks to steer behaviors that follow what works.

This is no small task, because a profiteering health care industry has developed scores of ways to extract more money than it is entitled to. Low primary care reimbursements have translated into rushed visits, driving up specialty referrals, diagnostics, procedures and costs for complicated patients. Egregious unit pricing on drugs, devices and specialty procedures — think stents, advanced images and complex spinal surgeries — encourage delivering more unnecessary products and services. Yellow-pages provider networks give patients “choice” to unwittingly see lousy doctors who consistently produce poorer outcomes at higher episodic cost, or get care in hospitals where there are higher opportunities to experience an error or acquire an infection. Leaving all this to health plans that have, for decades, been unwilling or unable to manage these vectors or control costs is repeating a behavior while hoping for a different result.

Last year, Walmart contracted for heart, spine and transplant surgeries with six Center of Excellence health systems around the country. These organizations use salaried specialists who are more likely to diagnose and treat correctly the first time for lower overall utilization and cost. They use and share evidence-based protocols, share data and coordinate care with local providers. Walmart employees who visit these Centers pay nothing. Many large and mid-sized firms are now pursuing this design.

Jerry Reeves MD, a medical management innovator, structured an alternative health plan design for one of his clients. His plan used rules that strongly encouraged approaches that work. Employees who adhered to the rules paid about one-third less for their coverage. But the program required a commitment. Participants who signed up had to use one of eight primary care medical homes that had been established. They needed to visit within 90 days for an exam, including a biometric profile. If the medical home called to recommend visiting a nurse coach, the patient needed to do that. Patients seeing specialists needed to make sure that the specialist information came to the primary care doctor. The medical homes were structured to accommodate walk-ins, so urgent care visits in Emergency Departments were not covered until after hours. There were other rules as well.

There are rules for doctors and hospitals too. To participate in good standing, they had to develop and sign documented care plans for patients, so patients and physicians could know what to expect. They had to be able to exchange clinical information so care could be better coordinated.

Patients failing to follow any of these rules would receive “strikes,” and three strikes would land the patient in health care timeout for a year, back to the original health plan, with more choice but 35 percent more cost.

Dr. Reeves' numbers were striking. 97 percent of the group signed up for the plan, and only one person struck out. Hospital days dropped 55 percent. Advanced images dropped 35 percent. Health improved and costs plummeted.

Employers are waking up, and are tying stronger incentives to approaches that get results. On the hook for exorbitant health care costs, employers and employees are game to know who delivers value and what works. They want good care for their families without financial peril. And they want help orchestrating that process without financial conflict.

More employers are making this shift. Broad-spectrum medical management organizations see this as an opportunity to succeed by bringing health care back into balance.

This article first appeared on Care and Cost.

OCR Nails Hospice For $50K In First HIPAA Breach Settlement Involving Small Data Breach

Properly encrypt and protected electronic protected health information (ePHI) on laptops and in other mediums!

That’s the clear message of the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) in its announcement of its first settlement under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule involving a breach of ePHI of fewer than 500 individuals by a HIPAA-covered entity, Hospice of North Idaho (HONI).

The settlement shows that the Office of Civil Rights stands ready to penalize these healthcare providers, health plans, healthcare clearinghouses and their business associates (covered entities) when their failure to properly secure and protect ePHI on laptops or in other systems results in a breach of ePHI even when the breach affects fewer than 500 individuals.

HIPAA Security & Breach Notification For ePHI
Under the originally enacted requirements of HIPAA, covered entities and their business associates are required to restrict the use, access and disclosure of protected health information and establish and administer various other policies and safeguards in relation to protected health information. Additionally, the Security Rules require specific encryption and other safeguards when covered entities collect, create, use, access, retain or disclose ePHI.

The Health Information Technology for Economic and Clinical Health (HITECH) Act amended HIPAA, among other things to tighten certain HIPAA requirements, expand its provisions to directly apply to business associates, as well as covered entities and to impose specific breach notification requirements. The HITECH Act Breach Notification Rule requires covered entities to report an impermissible use or disclosure of protected health information, or a “breach,” of 500 individuals or more (Large Breach) to the Secretary of HHS and the media within 60 days after the discovery of the breach. Smaller breaches affecting less than 500 individuals (Small Breach) must be reported to the Secretary on an annual basis.

Since the Breach Notification Rule took effect, the Office of Civil Rights’ announced policy has been to investigate all Large Breaches and such investigations have resulted in settlements or other corrective action in relation to various Large Breaches. Until now, however, the Office of Civil Rights has not made public any resolution agreements requiring settlement payments involving any Small Breaches.

Hospice Of North Idaho Settlement
On January 2, 2013, the Office of Civil Rights announced that Hospice of North Idaho will pay the Office of Civil Rights $50,000 to settle potential HIPAA violations that occurred in connection with the theft of an unencrypted laptop computer containing ePHI. The Hospice of North Idaho settlement is the first settlement involving a breach of ePHI affecting fewer than 500 individuals. Read the full HONI Resolution Agreement here.

The Office of Civil Rights opened an investigation after Hospice of North Idaho reported to the Department of Health and Human Services that an unencrypted laptop computer containing ePHI of 441 patients had been stolen in June 2010. Hospice of North Idaho team members regularly use laptops containing ePHI in their field work.

Over the course of the investigation, the Office of Civil Rights discovered that Hospice of North Idaho had not conducted a risk analysis to safeguard ePHI or have in place policies or procedures to address mobile device security as required by the HIPAA Security Rule. Since the June 2010 theft, Hospice of North Idaho has taken extensive additional steps to improve their HIPAA Privacy and Security compliance program.

Enforcement Actions Highlight Growing HIPAA Exposures For Covered Entities
While the Hospice of North Idaho settlement marks the first settlement on a small breach, this is not the first time the Office of Civil Rights has sought sanctions against a covered entity for data breaches involving the loss or theft of unencrypted data on a laptop, storage device or other computer device. In fact, the Office of Civil Rights’ first resolution agreement — reached before the enactment of the HIPAA Breach Notification Rules — stemmed from such a breach (see Providence To Pay $100000 & Implement Other Safeguards).

Breaches resulting from the loss or theft of unencrypted ePHI on mobile or other computer devices or systems has been a common basis of investigation and sanctions since that time, particularly since the Breach Notification rules took effect. See, e.g., OCR Hits Alaska Medicaid For $1.7M+ For HIPAA Security Breach. Coupled with statements by the Office of Civil Rights about its intolerance, the Hospice of North Idaho and other settlements provide a strong warning to covered entities to properly encrypt ePHI on mobile and other devices.

Furthermore, the Hospice of North Idaho settlement also adds to growing evidence of the growing exposures that health care providers, health plans, health care clearinghouses and their business associates need to carefully and appropriately manage their HIPAA encryption and other Privacy and Security responsibilities. See OCR Audit Program Kickoff Further Heats HIPAA Privacy Risks; $1.5 Million HIPAA Settlement Reached To Resolve 1st OCR Enforcement Action Prompted By HITECH Act Breach Report; and, HIPAA Heats Up: HITECH Act Changes Take Effect & OCR Begins Posting Names, Other Details Of Unsecured PHI Breach Reports On Website. Covered entities are urged to heed these warnings by strengthening their HIPAA compliance and adopting other suitable safeguards to minimize HIPAA exposures.

Office of Civil Rights Director Leon Rodriguez, in OCR’s announcement of the Hospice of North Idaho settlement, reiterated the Office of Civil Rights’ expectation that covered entities will properly encrypt ePHI on mobile or other devices. “This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information.” said Rodriguez. “Encryption is an easy method for making lost information unusable, unreadable and undecipherable.”

In the face of rising enforcement and fines, the Office of Civil Rights’ initiation of HIPAA audits and other recent developments, covered entities and their business associates should tighten privacy policies, breach and other monitoring, training and other practices to reduce potential HIPAA exposures in light of recently tightened requirements and new enforcement risks.

In response to these expanding exposures, all covered entities and their business associates should review critically and carefully the adequacy of their current HIPAA Privacy and Security compliance policies, monitoring, training, breach notification and other practices taking into consideration the Office of Civil Rights’ investigation and enforcement actions, emerging litigation and other enforcement data, their own and reports of other security and privacy breaches and near misses, and other developments to determine if additional steps are necessary or advisable.

New Office Of Civil Rights HIPAA Mobile Device Educational Tool
While the Office of Civil Rights’ enforcement of HIPAA has significantly increased, compliance and enforcement of the encryption and other Security Rule requirements of HIPAA are a special focus of the Office of Civil Rights.

To further promote compliance with the Breach Notification Rule as it relates to ePHI on mobile devices, the Office of Civil Rights and the HHS Office of the National Coordinator for Health Information Technology (ONC) recently kicked off a new educational initiative, Mobile Devices: Know the RISKS. Take the STEPS. PROTECT and SECURE Health Information. The program offers health care providers and organizations practical tips on ways to protect their patients’ health information when using mobile devices such as laptops, tablets, and smartphones. For more information, see here.

For more information on HIPAA compliance and risk management tips, see here.