Category Archives: ePHI

What to expect from MACRA: The early years

By Caitlin Greenbaum, Director of Health Policy & Strategy, The Health Management Academy   /  09 May 2017

MACRA legislation passed in April 2015. When the initial version of the rule came down, the industry collectively braced for declining revenues, the avalanche of administrative paperwork and the increase in overhead costs that would be required to comply.

When the final rule was issued in October 2016, the tempered requirements seemed to point toward fewer projected negative payment adjustments in 2019, the target year for MACRA’s first Quality Payment Program distributions, and the tension subsided a little.

Even with the new allowances in reporting and threshold scores, the MACRA structure makes clear that there’s an abundance of work to be done, especially around efforts to promote care coordination and communication.

Year 1: 2017-2018

Now that we’re already into 2017, the first official reporting year, tensions are rising again because, even though most physicians acknowledge they are going to participate, the majority have not yet plotted their course or defined a compliance strategy.

And if you’re in the group that hasn’t figured it all out yet, the good news is you’re not alone.

According to a recent poll conducted by The Health Management Academy, almost half of the physician and practice leaders who participated are not moving very quickly toward adopting value-based payment models. In fact, only 4% claimed to be moving “very quickly” while almost 40% admitted to moving “very slowly” toward value-based care.

Somewhat surprisingly, the same is true even for large hospital systems. These organizations are perceived to be the driving force, the ones moving the fastest toward the end goal of value-based care, and yet, per a similar poll, few of the large systems are moving very quickly.

Only 8% of large hospital systems polled are moving swiftly toward implementing value-based payment models. – The Health Management Academy, 2017

The Quality Payment Program, however, is going to be the catalyst for healthcare organizations, both large and small, moving more aggressively toward these models in the next couple of years.

The MACRA structure and how you fit in

By now, you know that reimbursements are going to be variable based on performance, even if you’re still practicing in a fee-for-service structure and, like most, have not yet begun practicing in the more advanced tracks.

There are four participation categories, which fall underneath two broad tracks—the Merit-based Incentive Payment System (MIPS) and Advanced Alternative Payment Model (APM) track.

The four MACRA Quality Payment Program participation categories. – The Health Management Academy, 2017

The two categories in the middle of the chart are bridge areas, and won’t apply to many providers right now, but they can be considered as stepping stones from MIPS to the Advanced APM track.

The MIPS track equates to fee‑for‑service, and most physicians will, at least initially, fall into this track. They’ll balance their steps toward embracing more downside risk by continuing to practice fee-for-service medicine, and so they must prepare to report performance metrics and have payments adjusted based on those metrics in 2019.

On the other end of the spectrum is the Advanced APM track. To reach “Advanced APM Qualifying Clinician” status, physicians must engage significantly in certain downside risk-bearing payment models. In this track, participating physicians will enjoy fewer reporting requirements and more financial incentives, while still being held accountable for delivering high-value care. The only way to sustain a profitable practice in this track is to eliminate wasteful workflows that result in inefficient and unreliable communication processes among all members of the broader care team, even if they are not directly affiliated with your practice.

Year 2: 2018-2019

In the first months of 2018, physicians practicing in the MIPS track—again, that will be most of you—will be required to report metrics in three performance categories based on at least 90 consecutive days of work. This should come as more good news, because if you haven’t started measuring yet, or you’re not impressed by your initial metrics, you still have time to pivot before the data is due in early 2018.

CMS will use that data to give each physician a composite score, which will determine the payment adjustment he or she receives in 2019.

The Quality Payment Program’s initially proposed rule was accompanied by disheartening projections in terms of payment adjustments, particularly for solo physicians and small practices. While the finalized October 2016-issued rule basically guaranteed that all physicians who submit any performance data will receive at least a neutral payment adjustment, physicians are still bracing themselves for less-than-average profit margins.

As MIPS is largely a budget-neutral program, less risk equals less reward. Since fewer physicians will be subject to negative payment adjustments in 2019 (see Image 3 below), fewer dollars will be available to distribute to those who perform well.

Only 20%—versus 87%—of physicians in smaller practices are projected to experience negative payment adjustments in 2019. – The Health Management Academy, 2017

Simply put, the best way to ensure your adjustment is as high as possible is to garner a high composite score.

Effectively coordinating care with your patients’ broader care teams as accurately and efficiently as possible to reduce waste and unnecessary overhead costs is a good first step toward achieving high scores in all four MIPS performance categories.

Back to the present

One of the goals of MACRA is to drive the costs out of treatment while still providing high-value care. Physicians will be in a much better position to deliver this dichotomy, and advance to a more rewarding reporting track, when the barriers to real-time care coordination have been broken down.

Seamless care team communication and collaboration among interdisciplinary, and often disparate, providers will be a foundation on which you can lay the groundwork for improved care coordination, which leads to less waste, improved efficiencies, and ultimately better outcomes, all of which underlie value-based care and the successful reduction of healthcare costs.

Source: “Making Sense of MACRA” webinar. The Health Management Academy and PerfectServe. March 2017. 

Watch the full webinar to learn even more about MACRA and how it applies to your practice.

Terry Edwards

Safeguarding security: 4 tactics for secure clinical communication and collaboration

By Terry Edwards  /  29 Jul 2016

I had the honor of speaking at the 2016 Becker’s Hospital Review Annual CIO/HIT + Revenue Cycle Summit, discussing the elements needed to truly secure clinical communications with some of the best minds in the healthcare world. With a number of recent high profile news stories announcing ransomware attacks in hospitals and health systems, security and the ability to secure clinical information is top of mind for many.

Those who oversee organizational data and IT systems recognize the importance of securing communication channels containing ePHI as they build a unified communications strategy. While security and regulatory mandates are essential elements of a clinical communication strategy, to create a truly successful strategy, the needs of those who provide care: physicians, nurses, therapists and others on the care team – in any setting – at any time – must be addressed flawlessly and securely.

To do so, there a few tactics to keep in mind:

Understand what the HIPAA Security Rule actually states – There’s been a lot of confusion in the industry when it comes to HIPAA compliance and communication. I often notice that many organizations think this is all about secure text messaging, which is incomplete. The Security Rule never speaks to a particular technology or communications modality, application or device. It is technology neutral.

HIPAA compliance is about the system of physical, administrative and technical safeguards that your organization puts in place to to ensure the confidentiality, integrity and availability of all ePHI it creates, receives, maintains or transmits. Because of this, there is no such thing as a HIPAA-compliant app.

Understand care team dynamics – Care team members are mobile and they employ workflows to receive communication based upon situational variables such as origin, purpose, urgency, day, time, call schedules, patient and more. The variables determine who should be contacted and how to do so for every communications event.

For this reason, third parties (hospital switchboards and answering services) and disparate technologies are used in organizations’ clinical communication processes. Understanding this variety of technologies and actors is key to accurately assessing your organization’s compliance risk. And, coming up with strategies to effectively address that risk is key.

Secure text messaging is essential, but it’s not sufficient – While secure messaging is an essential component of your overall strategy, it’s not sufficient because:

  1. it requires the sender to always know who it is they need to reach—by name.
  2. it requires the recipient to always be available to other care team members 24/7.

These requirements are inconsistent with the complexity inherent in communication workflows that enable time-sensitive care delivery processes, because they don’t address the situational variables I described above.

Secure messaging is only one piece of what should be a much larger communications strategy—one that should address clinician workflows and multi-modal communications channels for all care team members.

Your goal should be to enable more effective care team collaboration – Organizations often focus on achieving HIPAA-compliance. This is a flawed objective. The focus should be on achieving more effective care team collaboration. If this is done effectively, achieving HIPAA-compliance will come along for the ride.

Six essential capabilities – An effective secure clinical communications and collaboration strategy will include the following six elements.

  1. It will facilitate communication-driven workflows that enable time-sensitive care delivery processes. An example of a communications-driven workflow is stroke diagnosis and treatment. When a patient with stroke symptoms presents in the ED, one of the first things the ED physician does is initiate a communications workflow to contact the neurologist covering that ED at that moment in time, while simultaneously notifying and mobilizing a stroke team to complete a CT scan to determine if it is safe to administer tPA, the drug that arrests the stroke. Time is critical. Healthcare is chock full of these kinds of workflows, executed every day in every hospital by the hundreds and thousands.
  1. It will provide technology that automatically identifies and provides an immediate connection to the right care team member for any given clinical situation—this is nursing’s greatest need! Your strategy should be to bypass third parties and eliminate all the manual tools and processes used to figure out who’s in what role right now given the situation at hand. Ignoring this need means you won’t achieve adoption, which means your organization will still be at risk.
  1. It should extend beyond any department and the four walls of the hospital. It should enable cross-organizational communication workflows. This is increasingly important under value-based care where care team members must collaborate across interdependent organizations to deliver better care.
  1. It should secure the creation, transmission and access of ePHI across all communication modalities—not just text messaging. Enough said!
  1. It should integrate with your other clinical systems to leverage the data within those systems to facilitate new communication workflows. This is key to enabling “real-time healthcare.”
  1. It should provide analytics to monitor your communication processes and continuously improve those processes over time.

With these capabilities in place, secure clinical communication simply becomes another positive result of implementing a broader care team collaboration strategy, designed to address clinical efficiency and improve patient care delivery.

Terry Hayes

Balancing act: Making data security a priority in daily nursing routines

By Terry Hayes  /  24 Mar 2016

Regardless of the hospital or specialty office, nurses are an essential piece of patient-centered healthcare delivery models. As a former pediatric nurse practitioner, I know firsthand the amount of responsibilities nurses juggle, all while maintaining the personal, bedside manner needed to ensure patients and their families feel comfortable and knowledgeable about treatment and care. Nurses are often the first and last point of contact to provide care for a patient, and a critical part of the clinical communication process, especially in the digital age.

Unfortunately, as healthcare data breaches surge and the need to prepare for HIPAA audits increases, nurses must also factor data security into their daily routines. Since 2010, the HHS Office for Civil Rights reported more than 1,400 breaches of unsecured protected health information affecting 500 or more individuals, and this number is expected to escalate. Given nursing’s dynamic role in communicating with team members across the care continuum (physicians, other nurses, patients, etc.), it’s important that nurses, as well as other healthcare professionals, are provided the right levels of secure connectivity to deliver quality care for patients efficiently.

Nurse must also understand the need for security in many of their day-to-day activities. Here are a few areas nurses must constantly keep in mind:

  • Within the care setting – Can the patient information be viewed (or heard) by anyone besides the patient? Are the connected medical devices in use secured? Could another care provider or visitor access the device if the nurse steps away momentarily? With the growing use of telemedicine, does the patient have the right set-up to participate in portals, video calls, etc.?
  • Outside of a care setting – Are documents sent to the correct printer and/or fax, and are those documents picked up quickly? Can non-authorized personnel easily access EHRs and other technologies? Are any BYOD technologies secure? Does the outside setting have appropriate procedures in place to assure patient confidentiality and, if so, is it monitored?
  • During a care transition – Do the appropriate care team providers have access to relevant information? Are any others that participate in care that should be considered? If so, what level of information should be shared with those providers? Are all communications channels, such as a voicemail or email system, fully secure and HIPAA-compliant?

While education is critically important to ensuring nurses understand how to keep patient information secure, it’s also important for hospitals and other providers to identify processes and technological solutions to improve security, meet HIPAA standards and protect the confidentiality and integrity of patient data. This is particularly true as nurses (along with the rest of the patient care team face) more pressures to meet the demands of value-based care.

Nurses: how do you make data security a priority in your day? What challenges have you run into while balancing efficient and personal patient care with security?

Terry Edwards

Insights from HIMSS16: Four key takeaways

By Terry Edwards  /  14 Mar 2016

Each year, thousands of health IT leaders come together over one week to network, collaborate and shine a spotlight on industry accomplishments, challenges and innovation at HIMSS. I’ve attended the show for the past ten years, and I’ve seen trends evolve over time – some fading quickly, others becoming a constant theme throughout the years – all representing the ever-advancing healthcare landscape.

This year, as I walked the HIMSS show floor and had conversations with other executives, physicians and vendors, I noticed the following:

  • The market is shifting beyond secure messaging – For three years I’ve been talking about the fact that secure messaging is an essential feature of an organizations clinical communications strategy, but it’s not sufficient in and of itself. We talked to more than one organization that experienced a failed secure messaging deployment. Having learned, those organizations and others are realizing that a secure comprehensive communication solution that can improve workflow is what is required. (It’s about time!)
  • Security continues to evolve as a top priority – Healthcare CIOs are viewing security as a major challenge, and one that must be addressed holistically. I spoke with one CIO who shared that one set of lost physician network credentials caused through a phishing scam required the reset of 20,000 user credentials – a major disruption to the entire organization. We also discussed the challenges for keeping information protected; it’s clear that more comprehensive security solutions are needed to avoid the disruptions and other setbacks caused by breaches. Healthcare security today must extend past the surface level and become integrated into workflow, communications, technology, etc.
  • Moving beyond Meaningful Use to optimization – For nearly a decade, Meaningful Use was king. Now that most providers have implemented EMRs, the conversation has shifted from fear of non-compliance to how we can do more with the EMR. More and more providers are looking for ways to optimize their EMR investment to leverage data, extend its usage and refine the technology so that it works more seamlessly within clinician workflow. Workflow plays such a critical role in care and physician coordination, and providers need platforms that are smart and holistic – ones consistent with reality.
  • Shifting viewpoints on the future of the industry – Depending on who you talk to, conversations around the state of the healthcare industry and its future, which were in no shortage over the course of the week, differ in tone. With many factors, such as regulations, driving change in the industry, it becomes easy to take on a negative mindset – physicians in particular become frustrated with balancing patient care, compliance, data and technology. One notable challenge is providers are having to figure out how to take responsibility for a whole episode of care when the patient’s full team of physicians may not all be in one system. However, innovation continues to lead the way, and this, too, was reflected in many positive conversations about the healthcare landscape today.

Healthcare will continue to build on what we have today, optimizing our existing technology to address broader issues, and do so much more comprehensively – raising new trends and challenges just in time for HIMSS 2017. See you there!

Save the date: HIMSS 2017, February 19-23 in Orlando, Florida

Don Dally

The outdated browser: breeding ground for cybercrime

By Don Dally, chief technology officer at PerfectServe  /  10 Mar 2016

Is your health system’s browser up to date? Too many organizations don’t know the answer to that question and are unaware of the consequences for using unsupported browsers. Or, if they do know the answer, they aren’t in a position to act on it.

Now is the time to check if your workstations are using the latest browser version available. Earlier this year, Microsoft announced that it was discontinuing support for Internet Explorer versions 8, 9 and 10. The discontinuation of this support may affect more people than you think. The loss of this support means Microsoft will no longer provide vital security patches for these browser versions, increasing vulnerabilities that go unattended, and leaving healthcare organizations wide open for attacks. This should come as no surprise to healthcare stakeholders, who’ve seen cyberattacks increase in recent years, especially in the healthcare industry. Hackers will find a way to exploit these vulnerabilities. It’s not a matter or IF, but WHEN.

There are two main reasons why outdated browsers linger:

  1. A clinical application doesn’t support modern browsers—Many healthcare providers are running older versions of browsers because they use a legacy application from a vendor that will not work on more contemporary browser versions. In basic terms, the application is holding them back.
  2. The provider organization is not updating the browser—If, for whatever reason, the provider is not updating its browser, it requires vendors to spend an inordinate amount of time and effort making sure their applications will work across the various (often outdated) browser versions used by their customers.

Browser upgrades are a two way street: providers must make sure they are using the most up-to-date browser version for vital security updates while vendors must make sure that their applications and solutions can support contemporary and future browser versions so they are not holding their users back.

How to keep current

Although browser choice can be an overlooked decision, it’s important that both vendors and providers stay on top of the latest versions. Here are some steps to help providers and/or vendors break the cycle of using outdated browsers:

  • Vendors should be held accountable for keeping pace with browser evolution
  • If you have a legacy application that requires an older browser, keep the browser on the workstation current and use virtualization to serve up an older browser for the legacy app
  • Ensure your organization has procedures in place to keep your browsers updated and properly patched

If you’re not sure whether you are using the most up-to-date browser, check here to see the newest version of your browser that’s available. We all have to step up to the plate and stay current. It is no longer an issue of convenience; it is a matter of patient privacy.