Tag Archives: health data

healthcare

Future of Work Comp Healthcare Delivery

Reform is changing healthcare delivery models, but there is a large gap between the healthcare related to workers’ compensation and the group health approach.

As a result of healthcare reform, the industry has experienced significant consolidation of health systems and medical practices, with an added emphasis on patients as consumers of healthcare, all as providers continue to evolve. As employers, though, our message is confused.

We tell employees that we have a great healthcare system for them, encourage them to choose the best physician to meet their needs and remind them to get regular checkups. However, if an employee gets injured, we have a separate system with a separate set of doctors and a separate set of rules.

If employers can find better doctors to treat workers, they can improve the quality of the workers’ compensation system. Employers are not going to get better doctors just by paying more; but, if they can identify which doctors are doing a better job and reward them, results improve.

California’s model has been experimenting with the concept of rewarding doctors for providing superior care, which has resulted in significant cost reduction. Great doctors are actually reducing the amount of medical attention required and, overall, workers’ compensation claims costs. As a result of better care and employee satisfaction, litigation costs have also dropped. Quality matters.

With advancements in technology, reimbursement models, a focus on quality and the movement of connected care, health systems across the U.S. are offering accountable care organizations (ACOs) for employer benefit solutions. Many think mergers and consolidation are a bad thing, however, in this consolidated world where health systems have changed, mergers and consolidation are changing “well care” to “sick care.” By taking a holistic approach, you are able to take a patient from wellness to injury care. Workers’ compensation needs to be part of this discussion. If not, we cause an even greater divide.

This holistic approach is not a new concept. In the 1990s, there were three 24-hour care pilot programs that tried this approach and resulted in lowered cost and improved medical control. At the same time, 10 states also mandated 24-hour pilot studies. Employers generally liked the pilot programs, which resulted in benefits such as increased medical control and reduced costs. On the national front today, the National Institute for Occupational Safety and Health (NIOSH) has a total worker health program that considers the total person and the factors that affect the individual’s health. The workers’ compensation system could borrow and apply successful elements from these programs.

When you send an injured worker to the best and brightest, you make the workers and their families feel like you are treating them well. This gets the patient to do what the doctor wants and stops the unfortunate spiral of delays in care. Technology is going to refine this approach even further. Technology will enable patients to get in touch with doctors immediately and will make the worker feel like he was properly cared for. This has the potential to be extremely effective and efficient for the system.

When a connected care system is not in place, the gaps in care are leading to needless disability and extended absence. Technology and telemedicine are essential components of this connected care. Gathering and analyzing health data is also important to drive positive behavior and improve overall quality of care.

The patient base is also more complicated, and that is where finding the great doctor comes into play. Today, if you have a patient with a broken arm, you may, in fact, have a patient with a broken arm and diabetes, which is much more difficult to treat. We need to find these great doctors and find systems for them to work with that operate far more efficiently. Technology is a very big part of that.

The current workers’ compensation system is not set up to reimburse for payments under this new model, including the use of nurse practitioners and physician’s assistants. The system needs to move in this direction. There are simply not enough physicians to see everyone. These healthcare professionals are essential elements of the group system, and the workers’ compensation system could be improved significantly by recognizing the need for these important providers.

Workers’ compensation currently works in silos, and that is an obstacle. The health system ACO model is communicating directly to the employers. As this model becomes adopted, the board room is not seeing the financial benefits just yet. However, when employers decide they want change, change happens. It is just a matter of getting their attention.

Employers are paying attention to the data they receive on the types of health systems. If the data around what is working in group health becomes available to employers, they will evolve.

Holistic care is certainly a trend that is largely becoming a reality. Workers with sedentary lifestyles who become injured on the job bring complicated connections between injury and pre-existing conditions that are hard to separate. It makes sense to treat people as they are—as a whole person. It is very important to try to get all of the systems to work together to treat the employee as one person.

We need a network that drives total employee health, and we can only have that if group health and workers’ compensation can talk to each other. Data is going to drive this evolution. The best-case scenario is if all this wonderful science and data can be put to use to help patients and merge what currently are parallel systems.

These issues were discussed in more details during an Out Front Ideas with Kimberly and Mark webinar, which was broadcast on Sept. 30, 2015. The archived webinar can be viewed here.

Will Policies Break Down Into Apps?

With the news that Uber is partnering with Metromile to offer Uber drivers “pay-per-mile” insurance, along with AirBnB announcing host protection insurance to supplement existing insurance policies on rooms and houses, we may be seeing the first cracks in the decades-old marketplace for all-encompassing insurance policies.

And really the change should not surprise us. After all, it was just a few years ago when an airline ticket bought you everything: the seat you wanted, free drinks and hot meals even in the economy cabin and transportation for your luggage. These days, your ticket buys you admittance to the inside of the airplane-and basically nothing else. Every other option is now on an a la carte menu-Wi-Fi, beverages, meals, bags, preferred seating, movies. The whole experience is an upsell by the airlines.

Now that the door has been cracked a bit, what might be next? Well, as seen with the awesome app MyFitnessPal being acquired by UnderArmour, in industry after industry the advantage is all about the apps and the data. And if apps in cars can now track how far we drive and how often we’re slamming on the brakes, to save us money on our auto insurance, might we also be able to save some money on our health insurance by providing our health data to our carriers as well?

Fitbit

After all, when I step on my Fitbit Aria scale, it knows my weight and body mass index (BMI). MyFitnessPal knows what I’m eating and drinking, and, if I’m lying, the scale will catch me. If I go paleo and lose 10 pounds or complete an hour of CrossFit every day, shouldn’t I be rewarded with a lower health premium? Previously, you’d have to take a blood test and tell the underwriter if you were a smoker. But what if my rates could vary based on how healthy a lifestyle I’m leading?

And once you drive your health through this gap, you can disaggregate any part of our lives into the proverbial Chinese menu of costs. Might I pay more for life insurance if I drive my family vs. flying, which is inherently less safe? What about feeding my travel itinerary into an app and getting personalized travel insurance based on what I do on vacation? And don’t get me started on the “Internet of Things.” We already provide our thermostat and carbon dioxide levels to Google through their Nest products-shouldn’t we get a rebate from our homeowner’s policy for keeping the house at a cool 68 degrees?
Digital Thermostat

What’s interesting about these scenarios is how easily they flow once you get started. Which is how the whole apps market works-you break down a process into pieces and start to handle the individual parts.

So why wouldn’t we want to do the same with our insurance?

As younger people continue to lead the movement toward the sharing economy, showing less propensity to care about exchanging data for cost savings, it’s an increasingly interesting question. In a recent survey by the National Association of Insurance Commissioners (NAIC), 43% of drivers between the ages of 18 and 29 said they would consider enrolling in a pay-per-mile insurance policy-and that’s with only a few carriers offering such programs. There’s no doubt that the world is moving to this model.

Of course, the $100,000 question is, “when is enough, enough?” Will altruistic motivation among younger people to lower greenhouse gases and pollution triumph? Will $200 a year less in health insurance premiums be worth the cost of sending your Fitbit data to your health insurer? Will I choose to let someone track my movements in my house in exchange for preferential rates on my homeowner’s policy?

While we can’t say for certain right now, it’s not a huge leap to expect that, at some point, we’ll all be asked to “name our price.”

OCR Nails Hospice For $50K In First HIPAA Breach Settlement Involving Small Data Breach

Properly encrypt and protected electronic protected health information (ePHI) on laptops and in other mediums!

That’s the clear message of the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) in its announcement of its first settlement under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule involving a breach of ePHI of fewer than 500 individuals by a HIPAA-covered entity, Hospice of North Idaho (HONI).

The settlement shows that the Office of Civil Rights stands ready to penalize these healthcare providers, health plans, healthcare clearinghouses and their business associates (covered entities) when their failure to properly secure and protect ePHI on laptops or in other systems results in a breach of ePHI even when the breach affects fewer than 500 individuals.

HIPAA Security & Breach Notification For ePHI
Under the originally enacted requirements of HIPAA, covered entities and their business associates are required to restrict the use, access and disclosure of protected health information and establish and administer various other policies and safeguards in relation to protected health information. Additionally, the Security Rules require specific encryption and other safeguards when covered entities collect, create, use, access, retain or disclose ePHI.

The Health Information Technology for Economic and Clinical Health (HITECH) Act amended HIPAA, among other things to tighten certain HIPAA requirements, expand its provisions to directly apply to business associates, as well as covered entities and to impose specific breach notification requirements. The HITECH Act Breach Notification Rule requires covered entities to report an impermissible use or disclosure of protected health information, or a “breach,” of 500 individuals or more (Large Breach) to the Secretary of HHS and the media within 60 days after the discovery of the breach. Smaller breaches affecting less than 500 individuals (Small Breach) must be reported to the Secretary on an annual basis.

Since the Breach Notification Rule took effect, the Office of Civil Rights’ announced policy has been to investigate all Large Breaches and such investigations have resulted in settlements or other corrective action in relation to various Large Breaches. Until now, however, the Office of Civil Rights has not made public any resolution agreements requiring settlement payments involving any Small Breaches.

Hospice Of North Idaho Settlement
On January 2, 2013, the Office of Civil Rights announced that Hospice of North Idaho will pay the Office of Civil Rights $50,000 to settle potential HIPAA violations that occurred in connection with the theft of an unencrypted laptop computer containing ePHI. The Hospice of North Idaho settlement is the first settlement involving a breach of ePHI affecting fewer than 500 individuals. Read the full HONI Resolution Agreement here.

The Office of Civil Rights opened an investigation after Hospice of North Idaho reported to the Department of Health and Human Services that an unencrypted laptop computer containing ePHI of 441 patients had been stolen in June 2010. Hospice of North Idaho team members regularly use laptops containing ePHI in their field work.

Over the course of the investigation, the Office of Civil Rights discovered that Hospice of North Idaho had not conducted a risk analysis to safeguard ePHI or have in place policies or procedures to address mobile device security as required by the HIPAA Security Rule. Since the June 2010 theft, Hospice of North Idaho has taken extensive additional steps to improve their HIPAA Privacy and Security compliance program.

Enforcement Actions Highlight Growing HIPAA Exposures For Covered Entities
While the Hospice of North Idaho settlement marks the first settlement on a small breach, this is not the first time the Office of Civil Rights has sought sanctions against a covered entity for data breaches involving the loss or theft of unencrypted data on a laptop, storage device or other computer device. In fact, the Office of Civil Rights’ first resolution agreement — reached before the enactment of the HIPAA Breach Notification Rules — stemmed from such a breach (see Providence To Pay $100000 & Implement Other Safeguards).

Breaches resulting from the loss or theft of unencrypted ePHI on mobile or other computer devices or systems has been a common basis of investigation and sanctions since that time, particularly since the Breach Notification rules took effect. See, e.g., OCR Hits Alaska Medicaid For $1.7M+ For HIPAA Security Breach. Coupled with statements by the Office of Civil Rights about its intolerance, the Hospice of North Idaho and other settlements provide a strong warning to covered entities to properly encrypt ePHI on mobile and other devices.

Furthermore, the Hospice of North Idaho settlement also adds to growing evidence of the growing exposures that health care providers, health plans, health care clearinghouses and their business associates need to carefully and appropriately manage their HIPAA encryption and other Privacy and Security responsibilities. See OCR Audit Program Kickoff Further Heats HIPAA Privacy Risks; $1.5 Million HIPAA Settlement Reached To Resolve 1st OCR Enforcement Action Prompted By HITECH Act Breach Report; and, HIPAA Heats Up: HITECH Act Changes Take Effect & OCR Begins Posting Names, Other Details Of Unsecured PHI Breach Reports On Website. Covered entities are urged to heed these warnings by strengthening their HIPAA compliance and adopting other suitable safeguards to minimize HIPAA exposures.

Office of Civil Rights Director Leon Rodriguez, in OCR’s announcement of the Hospice of North Idaho settlement, reiterated the Office of Civil Rights’ expectation that covered entities will properly encrypt ePHI on mobile or other devices. “This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information.” said Rodriguez. “Encryption is an easy method for making lost information unusable, unreadable and undecipherable.”

In the face of rising enforcement and fines, the Office of Civil Rights’ initiation of HIPAA audits and other recent developments, covered entities and their business associates should tighten privacy policies, breach and other monitoring, training and other practices to reduce potential HIPAA exposures in light of recently tightened requirements and new enforcement risks.

In response to these expanding exposures, all covered entities and their business associates should review critically and carefully the adequacy of their current HIPAA Privacy and Security compliance policies, monitoring, training, breach notification and other practices taking into consideration the Office of Civil Rights’ investigation and enforcement actions, emerging litigation and other enforcement data, their own and reports of other security and privacy breaches and near misses, and other developments to determine if additional steps are necessary or advisable.

New Office Of Civil Rights HIPAA Mobile Device Educational Tool
While the Office of Civil Rights’ enforcement of HIPAA has significantly increased, compliance and enforcement of the encryption and other Security Rule requirements of HIPAA are a special focus of the Office of Civil Rights.

To further promote compliance with the Breach Notification Rule as it relates to ePHI on mobile devices, the Office of Civil Rights and the HHS Office of the National Coordinator for Health Information Technology (ONC) recently kicked off a new educational initiative, Mobile Devices: Know the RISKS. Take the STEPS. PROTECT and SECURE Health Information. The program offers health care providers and organizations practical tips on ways to protect their patients’ health information when using mobile devices such as laptops, tablets, and smartphones. For more information, see here.

For more information on HIPAA compliance and risk management tips, see here.