Tag Archives: HITECH Act

Healthcare Firms on Hit List for Fines

When the Health Insurance Portability and Accountability Act (HIPAA) became law in 1996, the internet was an infant. Physicians walked around with paper charts. A “tablet” referred to a pill. And the typical cyber attack aimed to simply deface a website.

But with the evolution of the electronic age, the majority of the nearly 1.2 billion annual medical visits in the U.S. are documented, stored and shared in electronic form.

And the threat landscape has been evolving, as well.

“Now that (the records) are online and connected across multiple providers and exchanges, there will be more breaches if nothing else is done (for security),” says Kurt Roemer, chief security strategist for Citrix, which provides security tools.

See also: Restated HIPAA Regulations Require Health Plans To Tighten Privacy Policies And Practices

In response, federal authorities have stepped up enforcement actions against healthcare organizations that violate patient privacy rules under HIPAA. As a result, the number of sanctions has reached record levels.

In August, Advocate Health Care Network agreed to pay a record $5.6 million HIPAA settlement for a series of 2013 data breaches affecting 4 million patients.

The fines levied by the Department of Health and Human Services’ Office of Civil Rights (OCR) in 2016 surpassed any previous year since HIPAA became law.

Settlements send a message

And the fines levied by OCR in 2016 were hefty, averaging just over $2 million per sanction. This stepped-up enforcement is no doubt sending a message to healthcare providers.

“There’s a clear upward trend,” says Matt Mellen, security architect for health care with Palo Alto Networks, which provides a next-generation cybersecurity platform. This “is definitely enough to get the attention of healthcare organizations.”

The trend also is reflected in the number of incidents reported by HIPAA-covered entities. OCR’s database, which only includes incidents that affect 500 or more individuals, shows a steady growth each year.

In 2010, 198 incidents were reported to OCR, compared with 296 in 2014 and 269 in 2015. This trend has been documented in various cybersecurity reports, including IBM’s 2016 Cybersecurity Intelligence Index, which put healthcare at the top of all other industries for the number of data breaches.

And according to Ponemon’s recent “State of Cybersecurity in Healthcare Organizations in 2016,” nearly half of the 535 respondents said their healthcare organizations experienced an incident in the past 12 months involving loss or exposure of patient data.

The sector is clearly struggling to keep up with the threats, but the problem is not the law itself, says Niam Yaraghi, a fellow at the Center for Technology Innovation at the nonprofit Brookings Institution.

Sinking teeth into the law

“HIPAA is a fairly good law,” he says. “The problem is that healthcare organizations consider (HIPAA) as the ultimate level of security that they have to implement, and they do not have any incentive to go beyond HIPAA.”

Jodi Daniel, who worked for the Department of Health and Human Services for 15 years and was one of the key draft writers of HIPAA’s Privacy Rule and Enforcement Rule, says, “When the rules first came out … the focus of enforcement was on education and promoting voluntary compliance.” The goal was to help the industry “get it right, as opposed to penalizing them for getting them wrong.”

The first OCR settlement — $100,000 — didn’t come until 2008. And over the next three years, there were only a total of six. The pace picked up in 2012, as has the average amount of the settlements.

See also: Will You Be the Broker of the Future?  

What happened in the meantime was the passage in 2009 of the Health Information Technology for Economic and Clinical Health Act. The HITECH Act dramatically expanded the penalties, based on “increasing levels of culpability,” and increased the maximum to $1.5 million instead of $25,000 per identical violation. It also extended HIPAA to business associates.

The addition of business associates was significant, considering a large number of breaches are attributed to third-party incidents.

Risk management more important

The increased OCR enforcement also is putting an emphasis on risk management. Of the 39 settlements to date, at least 14 included lack of risk assessments among the violations.

Palo Alto’s Mellen says OCR’s emphasis on risk management is a positive trend.

“The risk management process is designed to identify all the potential threats to patient data and allows you to define action plans to mitigate those risks,” he says.

Cyber attacks, in particular, pose a bigger threat to patient privacy than other types of breaches. Yaraghi’s report shows that nearly 120 million people were affected by about 150 incidents involving cyber attacks versus a little more than 20 million people affected by about 700 incidents involving theft (laptops, media, etc.).

And the number of hacking/IT incidents is seeing a dramatic increase. Those reported to OCR between 2010 and 2014 grew from nine to 32. In 2015, there were 57.

Yaraghi is a proponent of a third-party HIPAA certification system to serve as a preventative measure. But a true economic incentive, he believes, would be cybersecurity insurance. He recommends every healthcare organization have a policy.

“Healthcare organizations will have to take security into account to reduce the cost of premiums,” he says.

See also: Can InsurTech Make Miracles in Health?  

In the meantime, the increased OCR enforcement could create a stronger incentive for healthcare organizations to step up cybersecurity. It will also get the attention of boards of directors, Citrix’s Roemer says.

“It would make it more difficult for the health care institutions and their boards to casually say they aren’t going to invest in security,” Roemer says. “It will definitely drive some changes in behavior.”

More stories related to HIPAA and health records:
Hospital hacks show HIPAA might be dangerous to our health
Encrypting medical records is vital for patient security
Healthcare data at risk: Internet of Things facilitates healthcare data breaches

This article originally appeared on Third Certainty. It was written by Rodika Tollefson.

Can InsurTech Make Miracles in Health?

As an American and the de facto administrator of my family’s health insurance, I am reminded routinely of some of the complexities of the methods we employ to maximize health and pay for care in this country. Forces are driving individuals, providers, insurers and employers to change their approaches or suffer the consequences.

InsurTech companies that take aim at the U.S. healthcare industry by using software and data to improve efficiency and outcomes can benefit from this opportunity. Depending on whether you are an optimist or pessimist, the healthcare sector is the land of endless opportunity or unsolvable problems. Because the scale is huge, even small steps forward, aimed at opportunity pockets, can translate into significant wins.

Let’s view the situation through four lenses: the health of the American people, marketplace trends, the role of regulation and the players. You can unpack any one of these and understand why Venture Scanner has identified more than $26 billion in funding that is being poured into 1,300 health-technology companies across 21 categories and 48 countries. The issues and implications arising from any of these categories are intertwined, so even startups focusing on health insurers cannot disconnect from what is happening in the rest of the ecosystem. This post focuses on health insurance in the U.S., not the broader healthcare space or other geographies, because the U.S. is a) a massive market and b) a different structure from markets in Europe and Asia).

Americans, overall, do not live a healthy lifestyle

The U.S. came in last place in a 2013 ranking of affluent countries’ health in a Mayo Clinic Proceedings study that included four factors in its definition of “healthy lifestyle”: diet, exercise, weight and smoking.

Americans are getting fatter. More than one-third of the adult population is obese. Every single state has an obesity rate of more than 20%, adding an estimated $200 billion to the national healthcare tab.

A piece of good news from the Centers for Disease Control is that the percent of adult smokers has dropped steadily from 42% in 1965 to 17% in 2014. The trend among students has been less stable, but generally downward, peaking at 36% in 1997 and dropping to 16% in 2013.

This is a huge and shifting marketplace

Consider just a few dimensions:

  • Healthcare spending represents 18% of the U.S. gross domestic product, $3.2 trillion, or about $10,000 per person. As the population ages, government spending in the sector is expected to increase. Also consider that 30% of Medicare dollars go toward the 5% of beneficiaries who become very ill and then die each year.
  • Employers are taking action to shift costs to employees, and slow spending. Employers provide coverage to 150 million Americans. And, according to the 2015 Kaiser Family Foundation total average annual premium per employee has increased from $5,791 to $17,545 since 1999. Employees are being asked to pay more, or to avoid doing so by trading down to high-deductible plans. This creates near-term savings back to healthy families who don’t run into any medical surprises. What is rarely highlighted, however, is how many families are effectively assuming the financial risk of facing a large deductible in the event of, say, an unanticipated hospitalization. Because 62% of Americans have less than $1,000 in savings and 21% have no savings, the potential is real for individual families to face serious financial consequences as a result of this choice.
  • Only one in seven Americans understand the insurance plans selected yet are held increasingly responsible to manage decisions that could have implications not only for cost, but also for quality of life.
  • Insurance carriers have benefited from ACA (Affordable Care Act aka Obamacare, formally named the Patient Protection and Affordable Care Act) because of how the statute has expanded the market and provided premium subsidies for lower-income households. At the same time, insurance companies remain the least trusted of the healthcare subsectors.

Regulations focus on changing behavior, protecting patient data and stimulating innovation

ACA, signed into law in 2010 and upheld by the Supreme Court in 2012, is watershed legislation that set the sector up for reinvention. ACA takes both a carrot and stick approach to increase coverage and care effectiveness while lowering costs, e.g.,

  • If as a user you don’t purchase coverage, you face penalties.
  • If as an employer of 50-plus people you don’t offer coverage, you face penalties.
  • Health care providers are being given incentives to make “meaningful use” of electronic health records to create efficiencies and improve care decisions, and face penalties if they fail to use such tools
  • Primary care providers and general surgeons are being given incentives to move to low-coverage geographies.

These are just a few examples of how ACA is attempting to get people to change how they select, use and administer healthcare payments and services.

Two other regulations affect health insurers:

  • The Health Information Privacy and Protection Act, better known as HIPAA, the privacy, portability and security rule designed to protect patient health information, while improving data portability. HIPAA affects how data is stored, protected, used and transferred.
  • The HITECH Act (Health Information Technology for Economic and Clinical Health) was enacted to support the development of a nationwide health IT infrastructure, as well as define and maintain standards for health information technology products and how they interact with each other.

Any health care player — incumbent, startup or investor — must understand how the regulations work

For those who question whether ACA might be repealed, consider that, while this year’s election suggests anything can happen in politics, there have been more than 50 failed attempts by Republicans in Congress to undo the legislation. So, better to understand how the incentives and disincentives relate to any potential new business model, and appreciate how big a departure ACA’s core principles are from the traditional way in which the U.S. healthcare system has operated. The latter is vital to understand the dynamics of the new playing field and how individuals, providers, insurers and employers are responding.

The winning business models will be those that exhibit four characteristics:

  • Link to the regulatory levers – carrots and sticks for individuals and providers – and move them. This is where the commercial value lies.
  • Prove they can deliver better outcomes at lower cost.
  • Demonstrate potential to scale, by itself, via B2B partnerships, or via exit to a scale incumbent.
  • Have a viable basis for underwriting and risk management.

Success will be a function of software + data + tactical knowledge of the levers – both the regulations and how to motivate behavioral change where people are being asked to make radical changes.

1 Myth, 2 Truths, 5 Hot Trends in Health IT

There is a myth out there that healthcare providers are unwilling to adopt new technology. It’s just not true. In the last few months, I have spoken to dozens of healthcare leaders at hospitals both small and large, and I am amazed at their willingness to understand and adopt technology.

Pretty much every hospital CEO, COO, CMIO or CIO I talk to believes two things:

With growing demand, rising costs and constrained supply, healthcare is facing a crisis unless providers figure out how to “do more with less.”

Technology is a key enabler. There is technology out there to help save more lives, deliver better care, reduce costs and achieve a healthier America. If a technology solution solves a real problem and has a clearly articulated return on investment (ROI), healthcare isn’t that different from any other industry, and the healthcare industry is willing to adopt that technology.

Given my conversations, here are the five biggest IT trends I see in healthcare:

1. Consumerization of the electronic health record (EHR). Love it or hate it, the EHR sits at the center of innovation. Since the passage of the HITECH Act in 2009—a $30 billion effort to transform healthcare delivery through the widespread use of EHRs—the “next generation” EHR is becoming a reality driven by three factors:

  • Providers feeling the pressure to find innovative ways to cut costs and bring more efficiency to healthcare delivery
  • The explosion of “machine-generated” healthcare data from mobile apps, wearables and sensors
  • The “operating terminal” shifting from a desktop to a smartphone/tablet, forcing providers to reimagine how patient care data is produced and consumed

The “next generation” EHR will be built around physicians’ workflows and will make it easier for them to produce and consume data. It will, of course, need to have proper controls in place to make sure data can only be accessed by the right people to ensure privacy and safety. I expect more organizations will adopt the “app store” model Kaiser pioneered so that developers can innovate on their open platform.

2. Interoperability— Lack of system interoperability has made it very hard for providers to adopt new technologies such as data mining, machine learning, image recognition, the Internet of Things and mobile. This is changing fast because:

  • HHS’s mandate for interoperability in all EHRs by 2024 means patient data can be shared across systems to enable better care at lower cost.
  • HITECH incentives and the mandate to move 50% of Medicare payments from fee-for-service to value-based alternatives by 2018 imply care coordination. Interoperability will become imperative.
  • Project Argonaut, an industry-wide effort to create a modern API and data/services sharing between the EHR and other systems using HL7 FHIR, has already made impressive progress.
  • More than 60% of the proposed Stage 3 meaningful use rules require interoperability, up from 33% in Stage 2.

3. Mobile— With more than 50% of patients using their smartphone to monitor health and more than 50% of physicians using (or wanting to use) their smartphone to monitor patient health, and with seamless data sharing on its way, the way care is delivered will truly change.

Telemedicine is showing significant gains in delivering primary care. We will continue to see more adoption of mobile-enabled services for ambulatory and specialty care in 2016 and beyond for three reasons:

  • Mobile provides “situational awareness” to all stakeholders so they can know what’s going on with a patient in an instant and can move the right resources quickly with the push of a button.
  • Mobile-enabled services radically reduce communication overhead, especially when you’re dealing with multiple situations at the same time with urgency and communication is key.
  • The services can significantly improve the patient experience and reduce operating costs. Studies have shown that remote monitoring and mobile post-discharge care can significantly reduce readmissions and unnecessary admissions.

The key hurdle here is regulatory compliance. For example, auto-dialing 9-1-1 if a phone detects a heart attack can be dangerous if not properly done. As with the EHR, mobile services have to be designed around physician workflows and must comply with regulations.

4. Big data— Healthcare has been slower than verticals such as retail to adopt big data technologies, mainly because the ROI has not been very clear to date. With more wins on both the clinical and operational sides, that’s clearly changing. Of all the technology capabilities, big data can have the greatest near-term impact on the clinical and operational sides for providers, and it will be one of the biggest trends in 2016 and beyond. Successful companies providing big data solutions will do three things right:

  • Clean up data as needed: There’s lots of data, but it’s not easy to access it, and isn’t not quite primed “or clean” for analysis. There’s only so much you can see, and you spend a lot of time cleansing before you can do any meaningful analysis.
  • Meaningful results: It’s not always hard to build predictive analytic models, but they have to translate to results that enable evidence-based decision-making.
  • Deliver ROI: There are a lot of products out there that produce 1% to 2% gains; that doesn’t necessarily justify the investment.

5. Internet of Things— While hospitals have been a bit slow in adopting IoT, three key trends will shape faster adoption:

  • Innovation in hardware components (smaller, faster CPUs at lower cost) will create cheaper, more advanced medical devices, such as a WiFi-enabled blood pressure monitor connected to the EHR for smoother patient care coordination.
  • General-purpose sensors are maturing and becoming more reliable for enterprise use.
  • Devices are becoming smart, but making them all work together is painful. It’s good to have bed sensors that talk to the nursing station, and they will become part of a top level “platform” within the hospital. More sensors also mean more data, and providers will create a “back-end platform” to collect, process and route it to the right place at the right time to can create “holistic” value propositions.

With increased regulatory and financial support, we’re on our way to making healthcare what it should be: smarter, cheaper and more effective. Providers want to do whatever it takes to cut costs and improve patient access and experience, so there are no real barriers.

Innovate and prosper!