Introducing a New HIPAA Privacy Notice for Patients and Practices

HIPAA Notice of Privacy Practices

September 23, 2013 is the date that medical practices and other covered healthcare entities will roll out a new Notice of Privacy Practices to patients to be compliant with the HIPAA Omnibus rule enacted in March 2013.

What Does This Mean For Patients?

Patients should be aware that after September 23rd, their healthcare providers will have a new Notice of Privacy Practices (NPP) available. The new NPP should be posted in each office, on the website if one exists, and should be available as a handout for any patient requesting it.

The new notice will include:

    • Reasons that your Protected Health Information (PHI) can and cannot be disclosed to others.
    • Information for opting-out of communication related to fundraising activities, if your healthcare provider does any fundraising.
    • The ability to restrict your PHI from payer disclosure when you pay in cash instead of having the charges filed with your insurance plan.
    • Information about being contacted if there is a breach of your PHI due to unsecured records.

What Does This Mean For Practices?

    • A new Notice of Privacy Practices that is specialized to your practice must be developed.
    • The new NPP must be posted in your practice, on your website and available as a handout for any established patients who request them.
    • All new patients must be offered a copy of the new NPP and must sign an acknowledgement that they received it. (They may turn a copy of the NPP down, however.)
    • Policies that address the disclosure of information/records and notification of a breach, should one occur must be developed.
    • Old and new versions of the NPP should be on file in the practice, and patient acknowledgements should also be kept as long as the medical record is retained.

What else is required for compliance with HIPAA Omnibus?

One of our good friends, Steve Spearman at Health Security Solutions has posted great information on his site about the other requirements of the HIPAA Omnibus rule. His excellent posts help readers understand and comply with the new HIPAA guidelines in the following areas:

    • Business Associates Agreement (BAA) Update
    • Downstream Subcontractors Needing BAAs
    • New Breach Notification and Reporting Protocol
    • School Immunization Records Protocol
    • Electronic Fulfillment of PHI Request
    • Medical Record Protocols for Cash Payments

At Manage My Practice, we’ve offering a free sample Notice of Privacy Practices for your practice use. Please read the sample notice carefully, make changes specific to your practice and add your practice name. Note that language related to fundraising is NOT included, as it will not apply to most private practices. Insert fundraising language as follows if appropriate for your practice.

Fundraising Activities: We may use PHI to contact you to raise money. If  you wish to opt out these contacts, or if you wish to opt back in to these contacts, please contact our Privacy Officer.

Likewise, if your practice has a research function, insert relevant language:

Research: We may use and share your health information for certain kinds of research, however, all research projects are subject to a special approval process.

Check your state laws.

Your state law may require authorizations for certain uses and disclosures of PHI beyond those outlined in the sample notice. Be sure to amend your NPP to reflect any state-specific laws (resource hererelated to release of medical records. Remember to post your new NPP on your website and in your practice, and begin giving it to new patients September 23, 2013.

The new Notice of Privacy Practices is not required until September 23rd, but you can start using it as soon as you have yours ready.

For more on HIPAA, read my post “Three Big HIPAA Myths.”

(Photo Credit: hyku via Compfightcc)

David Brooks of qliqSoft Talks to Us about Secure Communications, Replacing the SMS, and BYOD

a picture of David Brooks of qliqSoft, interviewed in this post


Last week Mary Pat and I had a chance to meet and sit down for a while with a smart guy whose new venture is doing some really exciting things in the healthcare space. One of our favorite things to do! In an effort to keep on readers on the edge of what’s new, and to give more of the people we meet a chance to say hello and connect to our audience, we present the first in the MMP Interview series.

We first got in touch with David when he commented on one of our 2.0 Tuesday posts on Medigram– a new, private beta secure communications service. David let us know that Medigram wasn’t the only player in the space, and we agreed to meet for coffee and a chat. We got a chance to sit down with David soon after for a coffee and a demo of his company’s flagship product qliqConnect– also currently in Beta.

David is a sharp, passionate guy, and we loved having the chance to talk to him. Check out the interview below!

MMP: I know that qliqSoft offers a secure method for healthcare communication – what exactly does that mean?

David: Technically, it means that our secure messaging application – qliqConnect – addresses 3 key areas of security necessary to support HIPAA/HITECH compliance, as well as satisfy guidance provided by the Joint Commission last November:  authentication, encryption and auditability.

In plain English, it means that qliqConnect allows all users within an organization (physicians, nurses, and staff) to participate in secure conversations using a variety of devices – computers (Mac & PC), laptops, tablets, and smartphones (iPhone & Android) – running familiar applications:  texting on smartphones and chatting on computers.  We’ve simply borrowed these phenomenally popular and successful consumer applications and integrated them into a single, secure communication platform that stands up to healthcares many rigors.

MMP: What is BYOD and how does that promote physician engagement with this technology?

David: BYOD stands for “bring your own device.”  It’s a pretty basic idea that represents a sea change, not just in healthcare, but across many other industries in organizational attitude towards mobile devices.  For years, conventional wisdom held that organizations could better secure and better manage devices if they standardized on a single platform and single device.  In other words, the organization purchased the devices and issued them to employees.  Think of Blackberry’s golden years.  While it is still arguably true that it is easier to secure and support a single device, the iPhone revolution proved that personally-liable (end-user owned) devices could not be kept outside of the work environment.  Over the last couple of years, many organizations have moved away from the single-device approach and have instead sought ways to reign-in end-user devices.

At the end of the day, it is a trade-off.  Organizations that accept a BYOD approach may give up a little control but should end up with higher end-user adoption, and in turn, higher productivity.  Let’s face it, who wants to carry around a second (typically inferior) device?

At qliqSoft, we are basically neutral on the subject of deployment models.  I say “basically” because we are focused on supporting the platforms and the devices that end-users are using.  Currently, we support iOS, so our application runs on iPhone, iPod Touch, and iPad.  We are releasing Android in the next couple of weeks, and then we will begin working on a native iPad application soon after.  We are not seeing enough demand on other platforms at this time to warrant the investment, but are always open to reassessing this.

MMP: We’ve heard a lot about HIPAA breaches recently – can you explain how qliqSoft protects patient information from being exposed on the internet or being accessed through lost or stolen laptops or smartphones?

David: I expect we’ll continue to hear about HIPAA breaches for quite some time.  In fact, growing enforcement is driving many organizations to take a closer look at well-known gaps, such as SMS texting.  Although we have developed a powerful and highly extensible secure communication platform, secure messaging is getting a lot of attention right now, as it should.

Our secure messaging solution, qliqConnect, addresses 3 primary security requirements needed to satisfy HIPAA/HITECH compliance, as well as guidance provided by the Joint Commission:

1)  Authentication:  our application requires end-users to log in using secure credentials.

2)  Encryption:  all data is encrypted both in transit and at rest.

3)  Auditability:  organizations have the option to store all message traffic on an organizational asset for archiving and audit purposes.

Additional security features include:

  • remote lock and remote data wipe
  • all messages are data/time stamped, along with message status (sent, pending, delivered/received)
  • acknowledgement request to ensure message was received, read and understood by recipient

In addition to application features, it is worth mentioning a little about our architecture, as we do not employ a typical cloud-based client/server design.  We do not store, nor can we access any of the information that flows through our network.  All information is stored within customer resources (both smartphone and desktop computer clients).  Although we utilize a cloud-based server to route message traffic in real-time, information is persisted in the cloud only long enough to complete message delivery, at which point it is deleted from our servers.  The message traffic itself is encrypted using 1024-bit RSA encryption while attachments are encrypted using 256-bit AES encryption.  Furthermore, all traffic is sent across port 443.  The payload is encrypted using public keys and decrypted with private keys, which are locked inside end-user devices and clients.  No one, other than the message recipient, can decrypt messages.  In other words, storage is distributed and controlled by end-users and their organizations.

a screenshot of the qliqConnect program in use

MMP: Who is your target market for qliqSoft – is it hospitals, or practices, or essentially all healthcare providers?

David: We believe that a secure communication solution must address all personnel in an organization, regardless of role and regardless the size of the organization.  Everyone involved in patient care should have the opportunity to participate in secure conversations.  Solutions that address only one set of constituents or that exclude key team members are of limited value and only contribute to healthcare IT’s never-ending “silo-fication”.

I should add that while there are no doubt opportunities to extend secure messaging into other industries, qliqSoft is a healthcare-focused company.  Every aspect of our solution, from our platform with it’s built-in HL7 integration engine to end-applications that support a number of healthcare-specific features, were designed to improve communications across healthcare.

MMP: How does qliqSoft compare with solutions already on the market?

David: For starters, we believe that our technology and our architecture provides superior security.  For example, many larger organizations appreciate that we do not store all end-user traffic in a single cloud-based server.  In addition to increasing the risk of a potential breach as well as the impact, centralized-storage places a tremendous burden on vendor organizations to properly manage stored PHI.

Nevertheless, I expect that most competitors in this space will offer credible answers to the requisite security questions.  Increasingly I suspect conversation will evolve to the more fundamental question of usability.  And, by “usability” I am not referring to minor features and functionality.  Any vendor is capable of adding market-driven bells and whistles.  I am talking about the most important question an end-user cares about:  can I reach the people I need to?

Texting is a great application, but the reason SMS is the most popular application on the planet is because it doesn’t require any special software.  If you know someone’s cell number, you can send them a text.  Unfortunately, there is no way to secure SMS without introducing client-side software, at which point you would move away from SMS to superior technologies.  The challenge then becomes how to build a secure solution that scales relatively easily so that end-users can reach the people they need to.

Although there is not a lot of discussion on this topic yet, I think it will quickly move to center-stage.

Unlike a number of our competitors that have deployed physician-only solutions, we have been inclusive of all healthcare professionals from day one.  Additionally, we are getting ready to roll out a number of enhancements to our platform that will make it much easier for users to expand their secure network both within and beyond their direct organization.

MMP: If I gave this solution to my providers and staff, what immediate value can we expect? Longer term?

David: Honestly, if you gave your providers and staff qliqConnect, the most immediate benefit you would notice is that your compliance officer is sleeping better at night.  I do not mean to minimize the value of qliqConnect or the potential it possesses.  Rather, my point is to emphasize the degree to which people are currently abusing unsecure communication tools like SMS and chat.  In other words, we are providing tools that your people are already using.  And I hardly blame them.  In an industry plagued by longstanding communication challenges, it only makes sense that healthcare professionals would turn to these great tools to improve workflow, and ultimately the care they provide.  With qliqConnect, they can use these tools without fear and without looking over their backs.

Longer term there is no limit to the value users can gain.  I mean that.  Once we establish a secure connection between two individuals or two organizations, there are an infinite number of possibilities for exchanging both structured and unstructured data.  In fact, most conversations I have these days start on the topic of secure texting and end on accountable care organizations (ACOs) and collaboratives.

MMP: What else does qliqSoft offer?

David: For the time being we are completely focused on making qliqConnect the best solution on the market.  As I mentioned, we have a few exciting technical milestones coming up over the next couple of months, including support for Android as well as a number of enhancements to our underlying platform.  Once those milestones are reached, we will resume work on both qliqCharge, our mobile charge capture application, as well as qliqCare, an enterprise-based variation of qliqConnect that expands functionality through integration with both clinical and telephony systems.  Despite the incredible demand we have for additional tools and capabilities, we know that a laser-tight focus on our platform right now is going to pay huge dividends for qliqSoft and our customers going forward.  These are exciting times for us.

Thanks so much to David for taking the time to show us qliqConnect and answer our questions!

You can learn more about qliqSoft at their website or follow them on Twitter

HHS Releases a Proposed Rule for ICD-10 Go-Live October 2014

Garden with some tulips and narcissus

Today HHS announced a proposed rule (complete rule here – 175 page pdf) that would delay the go live for ICD-10 from October 1, 2013 to October 1, 2014. What follows are excerpts from the proposed rule.

Why Has HHS Proposed a Change to the Live Date for ICD-10-CM and ICD-10-PCS?

The final rule adopting ICD-10-CM and ICD-10-PCS (collectively, “ICD-10”) as HIPAA standard medical data code sets was published in the Federal Register on January 16, 2009. The ICD-10 final rule requires covered entities to use ICD-10 beginning October 1, 2013.

In late 2011 and early 2012, three issues emerged that led Secretary of HHS Kathleen Sebelius to reconsider the compliance date for ICD-10:

  1. The industry transition to Version 5010 did not proceed as effectively as expected;
  2. Providers expressed concern that other statutory initiatives are stretching their resources; and
  3. Surveys and polls indicated a lack of readiness for the ICD-10 transition.

The Transition to Version 5010

As the industry approached the January 1, 2012 Version 5010 compliance date, a number of implementation problems emerged, some of which were unexpected. These included–

  • Trading partners were not ready to test the Version 5010 standards due to vendor delays in delivering and installing Version 5010-compliant software to their provider clients;
  • Version 5010 errata were issued to correct typographical mistakes and other maintenance issues that were discovered as the industry began its internal testing of the standards, which delayed vendor delivery of compliant products and external testing;
  • Differences between address requirements in the “provider billing address” and “pay to” address fields adversely affected crossover claims processing;
  • Inconsistent payer interpretation of standard requirements at the front ends of systems resulted in rejection of claims, as well as other technical and standard misinterpretation issues;
  • Edits made in test mode that were later changed when claims went into production without adequate notice of the change to claim submitters; and
  • Insufficient end to end testing with the full scope of edits and business rules in place to ensure a smooth transition to full production.

Given concerns that industry would not be compliant with the Version 5010 standards by the January 1, 2012 compliance date, the HHS announced on November 17, 2011 that they would not initiate any enforcement action against any covered entity that was not in compliance with Version 5010 until March 31, 2012, to enable industry adequate time to complete its testing and software installation activities. On March 15, 2012, this date was extended an additional 3 months, until June 30, 2012.

The ICD-10 final rule set October 1, 2013 as the compliance date, citing industry testimony presented to NCVHS (National Committee on Vital and Health Statistics) and many of the over 3,000 industry comments received on the ICD-10 proposed rule.

The analysis in the ICD-10 final rule with regard to setting a compliance date emphasized the interdependency between implementation of ICD-10 and Version 5010, and the need to balance the benefits of ICD-10 with the need to ensure adequate time for preparation and testing before implementation.

As noted in the ICD-10 final rule, “[w]e cannot consider a compliance date for ICD-10 without considering the dependencies between implementing Version 5010 and ICD-10. We recognize that any delay in attaining compliance with Version 5010 would negatively impact ICD-10 implementation and compliance.” (74 FR 3334) Based on NCVHS recommendations and industry feedback received on the proposed rule, we determined that “24 months (2 years) is the minimum amount of time that the industry needs to achieve compliance with ICD-10 once Version 5010 has moved into external (Level 2) testing.” (74 FR 3334) In the ICD-10 final rule, we concluded that the October 2013 date provided the industry adequate time to change and test systems given the 5010 compliance date of January 1, 2012.

As implementation of ICD-10 is predicated on the successful transition of industry to Version 5010, we are concerned that the delays encountered in Version 5010 have affected ICD-10 planning and transition timelines.

Providers have Expressed Concern that Other Statutory Initiatives are Stretching Their Resources

Since publication of the ICD-10 and Modifications final rules, a number of other statutory initiatives were enacted, requiring health care provider compliance and reporting. Providers are concerned about their ability to expend limited resources to implement and participate in the following initiatives that all have similar compliance timeframes:

  1. The EHR Incentive Program was established under the Health Information Technology for Economic and Clinical Health (HITECH) Act, a part of the American Recovery and Reinvestment Act of 2009 (Pub. L. 111-5). Medicare and Medicaid incentive payments are available to eligible professionals and hospitals for adopting electronic health record (EHR) technology and demonstrating meaningful use of such technology. Eligible professionals and hospitals that fail to meaningfully use EHR technology could be subject to Medicare payment adjustments beginning in FY 2015.
  2. The Physician Quality Reporting System is a voluntary reporting program that provides incentives payments to eligible professionals and group practices that satisfactorily report data on quality measures for covered Physician Fee Schedule services furnished to Medicare Part B Fee-for-Service beneficiaries.
  3. The eRx Incentive Program is a reporting program that uses a combination of incentive payments and payment adjustments to encourage electronic prescribing by eligible professionals. Beginning in 2012 through 2014, eligible professionals who are not successful electronic prescribers are subject to a payment adjustment.
  4. Finally, section 1104 of the Affordable Care Act imposes additional HIPAA Administrative Simplification requirements on covered entities.

January 1, 2013
•    Operating rules for eligibility for a health plan and health care claim status transactions

December 31, 2013
•    Health plan compliance certification requirements for health care electronic funds transfers (EFT) and remittance advice, eligibility for a health plan, and health care claim status transactions

January 1, 2014
•    Standards and operating rules for health care electronic funds transfers (EFT) and remittance advice transactions

December 31, 2015
•    Health plan compliance certification requirements for health care claims or equivalent encounter information, enrollment and disenrollment in a health plan, health plan premium payments, health care claims attachments, and referral certification and authorization transactions

January 1, 2016
•    Standard for health care claims attachments •    Operating rules for health care claims or equivalent encounter information, enrollment and disenrollment in a health plan, health plan premium payments, referral certification and authorization transactions

Proposed October 1, 2014
•    Unique health plan identifier

Current State of Industry Readiness for ICD-10

It is crucial that all segments of the health care industry transition to ICD-10 at the same time because the failure of any one industry segment to successfully implement ICD-10 has the potential to affect all other industry segments. Ultimately, such failure could result in returned claims and provider payment delays that disrupt provider operations and negatively impact patient access to care.

In early 2012, it became evident that sectors of the health care industry would not be prepared for the October 1, 2013 ICD-10 compliance date. Providers in particular voiced concerns about their ability to meet the ICD-10 compliance date as a result of a number of factors, including obstacles they experienced in transitioning to Version 5010 HIPAA Requirements from the Affordable Care Act and the other initiatives that stretch their resources. A CMS survey conducted in November and December 2011 (hereinafter referred to as the CMS readiness survey) found that 26 percent of providers surveyed indicated that they are at risk for not meeting the October 1, 2013 compliance date.

Given the evidence that segments of the health care industry will likely not meet the October 1, 2013 compliance date, the reasons for that likelihood, and the likelihood that a compliance date delay would significantly improve the successful and concurrent implementation of ICD-10 across the health care industry, we are proposing to extend the compliance date for ICD-10.

One-Year Delay Justification

The HHS is proposing to extend the compliance date for ICD-10 for 1 year, from October 1, 2013 to October 1, 2014. This change would be reflected in the regulations at 45 CFR 162.1002. While a number of alternatives were considered for the delay, as discussed in the Impact Analysis of this proposed rule, it is believed a 1-year delay would provide sufficient time for small providers and small hospitals to become ICD-10 compliant and would be the least financially burdensome to those who had planned to be compliant on October 1, 2013.

To determine the new compliance date for ICD-10, the need for additional time for small providers and small hospitals to become compliant was balanced with the financial burden of a delay on entities that have developed budgets and planned process and system changes around the October 1, 2013 compliance date. Entities that have started planning and working toward an October 1, 2013 implementation would incur costs by having to reassess and adjust implementation plans and maintain contracts to manage the transition beyond October 1, 2013. We concluded that a 1-year delay would strike a reasonable balance by providing sufficient time for small providers and small hospitals to become compliant and would minimize the financial burden on those entities that have been actively planning and working toward being compliant on October 1, 2013.

Finally, in its March 2, 2012 letter to the Secretary on a possible delay of the ICD-10 compliance date, the NCVHS urged that any delay should be announced as soon as possible and should not be for more than 1 year. The NCVH made this recommendation in consideration of its belief that a delay would cause a significant financial burden “that accrues with each month of delay.”

The HHS believes that a 1-year delay would benefit all covered entities, even those who had are actively planning and striving for a 2013 implementation. A 1-year delay would enable the industry as a whole to test more robustly and implement simultaneously, which would foster a smoother and more coordinated transition to ensure the continued and uninterrupted flow of health care claims and payment.

Therefore, the HHS is proposing that covered entities must comply with ICD-10 on October 1, 2014.

 Bonus: Some Interesting Data I Found in the ICD-10 Proposed Rule:

  • The total number of health care claims in 2013 is projected to be 5.8 billion.
  • The cost to health plans for manually processing a pended claim is $2.30 per claim.
  • According to the Medical Group Management Association (MGMA), the staff time required to manually process a returned claim is 15 minutes, at a cost of approximately $4.14 for labor, a factor derived from the Bureau of Labor Statistics. This includes staff time spent to correct the error and resubmit claims that are returned.
  • Using the experience of one university’s bachelor’s-level health information management program, students take the ICD coding course in the spring of their junior year. Students enrolling in Spring 2012 courses will graduate in May 2013. Anticipating the October 1, 2013 compliance date, the university started offering ICD-10 courses this spring in place of ICD-9 with the understanding that it will be preparing students for employment after graduating in 2013. If ICD-10 is delayed a year, as proposed in this rule, the 30 students in the program will have to take ICD-9 courses in addition to their ICD-10 courses in order to obtain the ICD-9 competencies to get jobs. The extra course will cost each of the 30 students approximately $2,000 (in-state tuition) or a total of $61,000.
  • Total cost of a 1-year delay in the compliance date of ICD-10 = $3,808M (mean average)
  • According to the U.S. Census Bureau, Detailed Statistics, 2007 Economic Census, there are approximately 220,100 physician practices.. The U.S. Census Bureau data indicates that two percent of physician practices have revenues of $10 million or more, therefore approximately 4,400 physician practices are not small entities.
  • According to the Small Business Administration’s size standards, a small entity is defined as follows according to health care categories: Offices of Physicians are defined as small entities if they have revenues of $10 million or less; most other health care providers (dentists, chiropractors, optometrists, mental health specialists) are small entities if they have revenues of $7 million or less; hospitals are small entities if they have revenues of $34.5 million or less.
  • The 2007 Census Bureau reports that there are approximately 6,500 hospitals. The data indicates that 85 percent of hospitals have sales/receipts/revenues of $10 million or more.
  • Statistics cost of delaying ICD-10 to 2014 were based on:
    • Physician practices with less than 50 physicians = 233,239
    • Physician practices with 50 to 100 physicians = 590
    • Physician practices with more than 100 physicians = 393
    • Hospitals with less than 100 beds = 2757
    • Hospitals with 100 to 400 beds = 2486
    • Hospitals with more than 400 beds = 521


Haven’t Started Your ICD-10 Preparations Yet?

Start your plan by reviewing the resources below:


Manage My Practice offers ICD-10 transition help to physician practices, focusing on documentation improvement to support ICD-10 coding. For more information, please complete the contact form here.



Enhanced by Zemanta

Managed IT Services, HIPAA/HITECH Compliance and Changing IT Providers: Ed Garay from Lutrum Answers Your IT Questions.

Mary Pat: Where does the name of your company, Lutrum, come from?

Ed Garay: When I was developing a name for this company, I didn’t want to be like every other healthcare IT services company with health, md, medical, etc. as part of their name.  I wanted it to represent something deeper about what we do and who we are as an IT organization.  Although we are IT specialists, I realized that one of the things that I am always working with my team on is to listen and understand our client’s needs.  Which lead me to creating the name, Lutrum.  Lutrum is a slight variant of the Latin word Lutra.  Lutra means otter in English.  And the otter symbolizes empathy.

Mary Pat: What led up to you starting your own business?

Ed Garay: In late 2000, I worked as an IT Director for an organization that continued to downsize.  I came to a career crossroad.  With starting to support under 100 systems, and the network running in tip-top shape, there was really no need for me to be there full-time in the long run.  So, do I look for another job that can’t possibly be as fulfilling as where I was, or do I take a leap of faith and start up my own business and share my knowledge with the masses?  Through the feedback of mentors and other resources that knew me personally and professionally, I was highly motivated to take the leap of faith and have never looked back.  My business career has evolved over the years and has naturally lead me to Lutrum.

Mary Pat: What are Managed IT Services?

Ed Garay: Managed IT Services is a proactive approach to IT support.  It’s a flat fee service that provides virtually unlimited support.  And in our case, it also includes virtually unlimited Clinical Application Support, which is Managed IT Services includes proactive measures such as Anti-virus/Anti-malware software, Anti-spam services, backup services and other services that help prevent certain issues.  It’s intended to be a Win-Win-Win scenario.  If we are doing our job correctly, then it’s a Win for us since we have less reactive ‘fires’ to put out, a Win for our client as their entire organization remains productive (and there are less jokes made by their staff about their technology), and a Win for our client’s client as one of the results of properly leveraged technology is responsive customer service.

Mary Pat: Can you expand on what you mean by Clinical Application Support?

Ed Garay: We assist you with your use and management of your practice management and EMR software by helping you create or update templates, helping you manage and train staff on system upgrades, helping you create training materials and cheat sheets, and are available to help you however we can to improve your use of the software.

Mary Pat: How can you manage practices nationally?

Ed Garay:  With our Managed IT Services support platform, we are able to do at least 80% of IT support remotely.  The newer the client’s hardware, the higher the percentage.  When in need of someone onsite, or ‘remote hands,’ outside of our area for a short amount of time, we reach out to our network of IT Partners to help.  In some cases we work with internal client staff if they are made available to us.  But because we can do so much remotely, and we work well as a team with our clients staff and their vendors, all management of our clients is done out of our main office.  We do make site visits from time to time as necessary.

Mary Pat: What sets you apart from other companies offering IT services?

Ed Garay: First, I have the most memorable personal tag line “When your computer is dead, call Ed!”  Second, Lutrum has a culture of personable IT people.  Although we work hard, we definitely appreciate a good humor and enjoy working closely with our clients.  Third, unlike most IT companies, we won’t just install your EMR/PM application and leave.  We will also provide you a Clinical Application Manager to help you leverage your technology and work towards a Return On Investment.  Lastly, we continue to modify our Managed IT Service offerings so that they are turnkey.  For example, we include many services and hardware that most IT providers would prefer to charge separately.

Mary Pat: You recently had a booth at the MGMA annual meeting in Las Vegas and had a lot of interest in your Compliance product.

Ed Garay: Practices are looking for help with HIPAA/HITECH compliance and we had a number of managers who told us they came to the exhibit hall specifically looking for our solution.

Mary Pat: What is your HIPAA/HITECH solution?

Ed Garay:  The HIPAA/HITECH Report on Compliance is generated by a ROC (Report on Compliance) cloud-based tool that we provide.  Three key features to it are:  It meets the Meaningful Use Stage 1 Security Risk Analysis requirement, it’s a system that is continuously updating regulations so that a Practice’s Compliance Officer doesn’t have to keep track on their own, and Covered Entities can better manage and track their Business Associate’s compliance documentation.  Since it is built in a Yes/No question format, it becomes easier to figure out where your organization stands with compliance.  As a Managed Compliance Provider, I originally started offering the ROC tool so that our clients can hold us accountable for keeping them HIPAA/HITECH compliant.  But we soon found out that with our expertise on the HITECH side of compliance, we can assist practices even with existing internal or external IT support as well. MMP readers can request a sample ROC (see a small section below) by emailing me at

Sample of the report generated by the ROC tool Lutrum offers for HIPPA/HITECH compliance

Mary Pat: One of the most nerve-wracking projects a manager can undertake is moving from one IT vendor to another. Can you talk about how that process can be successful?

Ed Garay: It is possible to achieve success during an IT Vendor Transition.  If you follow a steps outlined here, you will feel more confident about making an IT Vendor change and can start expecting better results from your current (or future) IT Vendor.

  • Start with understanding the agreement terms with your current IT vendor.  Some may have an early termination fee.  You’ll want to have 15-60 days of availability from your current IT Vendor before fully cutting over to your new IT vendor
  • Determine timeline of transition that works best for your medical practice.  Is it a transition that needs to be expedited, or is it one that needs detailed consideration?
  • If you do not have network documentation provided to you by your IT Vendor, have them provide you electronic documentation of the following:
    • Computer Inventory
    • Administrator username and passwords for networked devices, your domain, online providers, website hosting, etc.
    • Medical Practice’s top three HIGH RISK areas
    • List of open support requests especially if they are known security concerns and high priority requests
    • List of 3rd party service partners such as Internet Service Providers, Online Backup Providers, and Website Hosting Providers, etc.
    • Backup configuration(s) and devices
    • Endpoint Security configuration(s) such as Anti-virus and Anti-spyware software
    • Anti-spam configuration(s)
    • Network configuration(s) and layout to include wireless connectivity, VPN’s, and networked devices
  • Provide this documentation to your new IT Vendor and allow them 3-5 business days to comb through the information and document questions they may have for your current IT Vendor
  • Initiate a conference call or face-to-face meeting between your medical practice (key individual(s)), your current IT Vendor and new IT Vendor.  This is a very critical step.
    • All great IT Vendors exit their client’s organizations smoothly
    • With your network documentation in hand, the new IT Vendor can talk more specifics with your current IT Vendor.
    • If certain software and services are specific to your current IT vendor, the current and new IT vendor will need to coordinate the swapping out of the software and services within your timeline.
  • Encourage current and new IT vendors to communicate with each other regularly during the identified timeline
  • Have both IT Vendors regularly report to you updates on the transition
  • Have your new IT vendor engage with your medical practice’s end users during the transition before Go Live
  • Go Live of your new IT Vendor’s services!

Mary Pat: As a takeaway for MMP readers, Ed has put together a Top 10 List of steps that practices can take to ensure they are mitigating HIPAA/HITECH risks. For your copy, send an email to

Ed Garay, CEO and Founder of Lutrum

Ed Garay is the CEO of Lutrum, a managed IT services company that provides medical practices with a turnkey IT solution. He is certified in Management of Clinical Information Technology. Ed says “Through state-of-the-art technology, strategic planning, quick response time, and open communications, we create a winning partnership between your team and ours so that your IT worries disappear, leaving you more time to run your business.” You can contact Ed at 480.745.3091 or

The Personal Health Record (PHR) is Alive and Well! Meet Zweena.

Smiling Couple with iPadA personal health record (or PHR) is an individual electronic health record that is stored securely on the Internet so it can be accessed by medical providers and caregivers who have permission.

PHRs allow the storage of all critical health history information in one place. In the event of an emergency, the patient, caregiver or family member can give providers access to health information. By having the most current information always available, duplicate or unnecessary tests can be avoided as can possible drug interactions. This benefit is achieved without having to rely on the memory or incomplete records of the patient. PHRs also allow patients, caregivers or third-party vendors to update information regularly over the Internet so that new data can always be accessed by stakeholders.

Although Personal Health Records have been around for more than 10 years, they have gained little traction. Amidst a healthcare environment that is increasingly supportive of the empowered patient, most patients have neither the time nor the knowledge to enter their own records into a PHR. Many PHRs can interface with an individual hospital or physician’s EHR system, but most are unable to share information bi-directionally with more than one entity or flow seamlessly into a Health Information Exchange (HIE).

With that being said, PHRs could be poised to make a big impact on the future of the delivery of health services. Today’s providers are shifting their focus from individual visits to entire episodes of care across the care continuum, which has the potential to benefit from digitized patient records. As more providers convert to electronic medical records, one of the next steps towards fulfilling the Meaningful Use criteria needed to receive Federal incentive payments is to achieve Enterprise Integration with their electronic records, defined by the HITECH act as:

“the electronic linkage of health care providers, health plans, the government, and other interested parties, to enable the electronic exchange and use of health information among all the components in the health care infrastructure in accordance with applicable law.”

In short, healthcare providers have to adopt systems that can then interface with other providers to share patient data, and collect public health data for comparative effectiveness research.

Although the death of Google Health this year has led many to speculate that the PHR is an idea too far ahead of its time, Zweena is challenging that notion.

Zweena is a personal health record management solution, as opposed to a standalone PHR. Zweena overcomes the traditional downfall of PHRs by taking care of everything for the patient and bridging the (huge) gap between healthcare providers and patients. Upon request by the patient, Zweena contacts the patient’s care providers, requesting their records and entering the record information into the PHR properly. The patient record, accessible via Microsoft Healthvault, is then available for easy exchange with hospitals, physician offices, continuing care communities, family members and others permissioned by the patient.

Zweena is involved in a fascinating pilot program starting October 2011. Virtua Hospital in Southern New Jersey has contracted with Zweena to provide ALL residents in a three-county area a free PHR with all the heavy lifting done by Zweena. This three-year agreement will be a tremendous test of the concept of the personal health record and the improvement of health and healthcare for these communities.

Zweena CEO John Phelan comments, “Most of us only think about our health and our medical records when we are reacting to a health crisis. By then, it is too late to harness the power of our assembled health information. Zweena gives all of us an opportunity to use the information we have today and be more proactive and engaged with our own health information and the information for those we love and care for.”

Image by Mary Pat Whaley

This article was first posted on Technorati.

Learn This: Physicians, Smartphones and mHealth

For the organized and busy professional on the go, the smartphone has quickly become a necessity on par with a persons house keys, wallet, or purse. The past five years have vaulted the smartphone from status symbol to must-have business tool by bringing data and communication capabilities from your office to the palm of your hand. With decision making and communication tools always at the ready, you can be productive from anywhere you are, and you are freed up to bring information to clients, meetings, and conferences without the hindrance of a laptop.

Physicians, practitioners and forward thinking healthcare organizations are leading the charge to embrace mobile health, often called mHealth, or the practice of patient care supported by mobile devices. A survey conducted at the physician online and mobile community QuantiaMD in May of 2011 found 83% of physicians reported using at least one mobile device and 25% used both a phone and a tablet. Of the 17% surveyed who did not use a mobile device, 44% planned on purchasing a mobile device sometime in 2011. Physicians surveyed reported their top uses for mobile devices as :

  • looking up drug treatments and reference material (69%)
  • learning about new treatments & clinical research (42%)
  • helping me choose treatment paths for patients (40%)
  • helping me diagnose patients (39%)
  • helping me educate patients (27%)
  • making decisions about ordering labs or imaging tests (26%), and
  • accessing patient information and records (20%)


Why is mHealth such a big deal?

The reason the healthcare industry is moving so quickly to adopt mHealth practices: changing legislative, demographic and financial conditions are forcing providers and care organizations to seek efficiencies and cost-savings from technology. Many physicians purchased their mobile device not imagining it as a clinical tool, only to discover possible uses in patient care after adoption. Moreover, since mobile devices are built on platforms that allow for the development and distribution of healthcare-specific applications (apps) that support clinical practice, software companies are able to quickly respond to physician demand for new and better solutions.

Applications can vary widely in quality, application, and cost, but are generally easy to acquire, test and adopt. Reference works like Daviss Drug Guide (iOS / Android), Tabers Medical Dictionary (iOS / Android) and Netters Atlas of Human Anatomy (iOS / Android) are available in searchable, easy-to-use digital versions. Tablets, with larger, shareable screens provide even better opportunities in patient education and imaging diagnostics – without having to drag (or roll) a laptop into a care setting, and without the barrier of a screen that separates provider and patient.

mHealth and EHRs

Even bigger opportunities are possible when mobile devices are tied into Electronic Health Records (EHRs) to give providers access to their patients history at a glance. With the HITECH provisions of the ARRA or Stimulus Act, healthcare organizations have incentives to adopt EHRs that fulfill meaningful use requirements in the next five years. While current adoption of EHR technology is only at around 20 to 25%, healthcare analysts David C. Kibbe, MD, MBA and Brian Klepper, PHD writing for Kaiser Health News predict that 2011 and possibly 2012 will find providers cleaning house to prepare for EHR adoption or upgrade, while some organizations will stay on the sidelines to avoid high switching costs from legacy electronic and paper systems .

The potential for care is enormous however, as mobile access to patient data in a secure setting would mean dramatic efficiencies for providers who normally have to rely on either a stationary computer or a retrieved paper record. Mobile patient data would also allow for easier compliance with hospital treatment protocols via alerts, and for consultation amongst physicians outside of their immediate location, as well as ePrescribing to cut down on time, resources, and fraud. Concerns about security, liability and reimbursement are still important issues for vendors, providers and patients but the demand for a more flexible and efficient healthcare system is driving software companies to offer more powerful and interoperable products that meet these issues head on.

Providers arent alone in pushing mHealth forward. Today’s patient wants to be more informed about their care and the options they are presented with medically and financially. The same streamlined access to information that is winning over large numbers of caregivers is empowering patients to make healthier choices in their lifestyles, and a better decisions navigating the healthcare system. According to the Pew Internet and American Life Project, nearly three quarters of American users (or roughly 59% of the entire US population) have used the Internet to research health information .

As both patients and providers become more accustomed to having their health decisions supported by mobile data, secure sharing of clinical, audio, and video data between patients and their caregivers will empower the healthcare system to tackle more of its challenges with technology.

For Physicians: Starting with mHealth

If you dont have a smartphone, check out this article for recommendations. The same article includes advice on free and paid apps that any smartphone user will find helpful.

For medical-specific apps, start with the Big Boys:

  • Medscape (iOS / Android) is a product of WebMD, and features full, free access to drug, diseases, protocol, CME and hospital directory information.
  • Epocrates (iOS / Android) is a free drug reference app that also has a premium subscription feature for more in-depth info, as well as paid versions of the app for specialties and comprehensive drug interactions.
  • UpToDate (iOS, unreleased) is a web-based service for physician reference and evidence based treatment options as well as CME for clinicians that is planning on releasing an iPhone app sometime this month. Check out their site to stay tuned for the apps release.

The ability to download apps (the Market for Android devices or App Store for iPhone and iPad) is built right into the device so users can quickly search for and install software without touching a desktop or laptop. These apps are a great way to get started using your device for mHealth applications, and both can be on your device within minutes of finishing this article.

CHIME Publishes 2 Free Guidebooks for Implementing EHRs, the HITECH Act and Getting the Stimulus Money

CHIME is the professional organization for chief information officers and other senior healthcare IT leaders.

CHIME has produced a CIO-oriented publication providing details on how organizations should focus their efforts to implement EHR systems that will qualify for stimulus funding payments through the HITECH Act. The 80-page guidebook is available free to the public and can be downloaded here.

Also, the American Hospital Association (AHA) and CHIME have worked collaboratively to create a guidebook for CEOs on the HITECH Act and meaningful use implementation. The handbook entitled, “Health Care Leader Action Guide on Implementation of Electronic Health Records”, provides a readable, actionable, step-by-step guide designed to assist CEOs and other C-suite executives in the EHR implementation process. The 22-page guide is available free to the public and can be downloaded here.

Series of 1917 $1 United States Note

Image via Wikipedia

ARRA Eligible Providers: Who Is Eligible to Receive Stimulus Money and How Much is Available Per Provider?

Note: read my latest post on getting the EHR Incentives here.

Medicare Definition of Eligible Provider (EP)

For Medicare, physicians and some hospitals are eligible providers. “Physicians” includes doctors of medicine (MD) or osteopathy (DO), dentists or dental surgeons (DDS or DMD), podiatric medicine (DPM), and optometry (OD) and chiropractors (DC).

For providers, their annual payment will be equal to 75 percent of Medicare allowable charges for covered services in a year, not to exceed the incentives in the table below.  Payments will be made as additions to claims payments.

Hospitals include quick-care hospitals (subsection-d) and critical access hospitals  and only includes hospitals in the 50 States or the District of Columbia.

Medicaid Definition of Eligible Provider (EP)

Medicaid takes the Medicare definition of eligible providers (physicians) and adds nurse practitioners, certified nurse midwives and physician assistants, however, physician assistants are only eligible when they are employed at a federally qualified health center (FQHC) or rural health clinic (RHC) that is led by a Physician Assistant.  Eligible hospitals include quick care hospitals and children’s hospitals.

At minimum, 30 percent of an EP’s patient encounters must be attributable to Medicaid over any continuous 90-day period within the most recent calendar year. For pediatricians, however, this threshold is lowered to 20 percent.

The first year of payment the Medicaid provider must demonstrate that he is engaged in efforts to adopt, implement, or upgrade certified EHR technology.  For years of payment after year 1, the Medicaid provider must demonstrate meaningful use of certified EHR technology.

Change 1:

The  definition of “hospital-based physician” was recently clarified to include physicians working in hospital outpatient clinics (employed physicians) as opposed to the inpatient units, surgery suites or emergency departments.  This still excludes pathologists, anesthesiologists, ER physicians, hospitalists and others who see most of their patients in the ER as outpatients or as hospital inpatients.

Possible Change 2:

The Health Information Technology Extension for Behavioral Health Services Act of 2010 (HR 5040)  is a bill in the US Congress originating in the House of Representatives that would amend the Public Health Service Act and the Social Security Act to extend health information technology assistance eligibility to behavioral health, mental health, and substance abuse professionals and facilities, and for other purposes.  You can track the bill here.

For more information on stimulus money for meaningful use of an EMR, read my post here.

ARRA Changes Rules for HIPAA – Did You Miss These Three February Deadlines?

With so much going on in healthcare, it would not surprise me if a lot of practices missed the February 2010 deadline for three expanded HIPAA rules.  This expansion was dictated by the Health Information Technology for Economic and Clinical Health (HITECH) Act passed by Congress in February 2009.

If you haven’t already, get started now with the new requirements.

  1. New obligations for business associates (BA) – February 17, 2010 Remember that a BA is a person or organization outside of your entity with whom you share protected health information (PHI) so they may provide services to you.  Good examples are your billing service, collection agency, attorney, consultant, computer vendors, attorneys and providers of documentation abstracting or coding services.  Under HITECH, BA have the same responsibilities for breaches as the healthcare entity does, but it is the healthcare organization’s responsibility to have an updated, signed BA agreement in place that describes this new responsibility.  Here is an excellent example of a BA agreement (first link under Publications) that you can download and tweak for your practice.
  2. New disclosure agreement provision – February 18, 2010 This is a big one! Patients now may waive their right to have you file their medical insurance, pay for your services themselves and request that their medical information NOT be disclosed to their insurance plan or any other entity.  In other words, patients may elect to become “self-insured”.  I recommend that you create a new financial class for these patients so they neither fall into the standard self-pay/financial assistance class or into their actual insurance class.  These patients, if you have any, will need to be identified according to their wishes, which could mean that they want you to file insurance for some services and not for others.  This means their record must be tagged for what records can be released and what records cannot.  There could be an argument made either way for whether or not these patients should receive self-pay discounts that you have in place for your non-insured patients.  I would be interested to know how different groups have decided to handle this.  There are sample forms for PHI disclosure accounting and for patients to request an accounting of PHI disclosures in the Manage My Practice Library under Operations.
  3. Information breach notification – February 22, 2010
    We’ve heard a lot about this one as the media (along with HHS) must now be notified if a PHI breach involves 500 people or more.  Breaches are being reported weekly as non-encrypted laptops are stolen or repurposed, and as copier hard drives (story here) go unnoticed as a security risk.  If a breach involves 500 people or less, each individual must receive written notice with details of the breach, the information disclosed, and the steps being taken by the practice or entity to avoid any future breaches, as well as explaining the rights of the patient(s) in protecting their private healthcare information.  Several of my employees have received notification letters from health plans and they have been horrified that this could happen.  Note that entities that secure health information through encryption or destruction don’t have to provide notification in the event of a breach!

Enforcement is also beefed up.
Criminal penalties will apply to covered entities that violate privacy rules AND to those organizations’ individual employees (can you track who accesses whose records when?)  Civil penalties have been increased and harmed individuals may share in the booty.  Probably most importantly, HITECH gives state attorneys general the power to enforce HIPAA rules.

Other resources:

HHS FAQ on HIPAA Privacy

AMA HIPAA Resources

Healthcare Blog Listing

Quick Reference for Acronyms and Buzzwords of ARRA and HITECH

certification @Sgame/Dreamstime.comARRA: American Recovery and Reinvestment Act of 2009, also called “The Stimulus Package” or “The Stimulus Bill.”  Of the $850B in the bill,  $51B is pegged for the health care industry and $19B of that will be used to incent medical practices to adopt EMRs/EHRs.

CCHIT: the Certification Commission for Health Information Technology is a private organization that certifies EMRs and EHRs based on 475 criteria spanning functionality, interoperability and security.  CCHIT does not evaluate ease of use of products, financial viability of the company offering the software; or the quality of customer support offered by the software vendor.  Whether or not CCHIT will be THE certifying organization to approve “qualified EMRs” will be announced at the end of the year.  (Can be pronounced “SEA-CHIT” or each letter can be pronounced as in “C.C.H.I.T.”)

Comparative Effectiveness: Comparative Effectiveness Research (CER) compares treatments and strategies to improve health.  For CER, HITECH provides $300M for the Agency for Healthcare Research and Quality, $400M for the National Institutes of Health, and $400M for the Office of the Secretary of Health and Human Services.

EHR: The aggregate electronic record of health-related information on an individual that is created and gathered cumulatively across more than one health care organization and is managed and consulted by licensed clinicians and staff involved in the individual’s health and care.

EMR: The electronic record of health-related information on an individual that is created, gathered, managed, and consulted by licensed clinicians and staff from a single organization who are involved in the individual’s health and care.

HITECH: The HIT components of the stimulus package ”” collectively labeled HITECH are:

  1. Funding to the Office of the National Coordinator of HIT (ONCHIT)
  2. HIT adoption incentives through Medicare and Medicaid reimbursement
  3. Comparative effectiveness research for the Agency for Healthcare Research and Quality (AHRQ)
  4. Funding for the Indian Health Service
  5. Construction funds for the Health Resources and Services Administration (HRSA) for community health centers
  6. Funds for the Social Security Administration to upgrade HIT systems
  7. Funding for the Veterans Administration
  8. The Department of Agriculture will receive telemedicine funding
  9. Funds to the National Telecommunications Administration for broadband to enable telemedicine.

Interoperability (hospitals): (as defined by HIMSS- Health Information and Management Systems Society)not yet defined for ambulatory care

Meaningful Use: To qualify as a “meaningful user,” eligible providers must demonstrate use of a “qualified EHR” in a “meaningful manner.” ARRA defers to the secretary of Health and Human Services (HSS) to set specific guidelines for determining what constitutes a “qualified EHR”; however, it does specify that e-prescribing, electronic exchange of medical records, and interoperability of systems will be determining criteria.  Starting in 2011, providers deemed to be “meaningful users” of EHR systems will be eligible to receive $40,000 – $60,000 in incentive payments paid out over five years in the form of increased Medicare and Medicaid payments.

ONCHIT: Office of the National Coordinator for Health Information Technology.  In 2004 the position was created by by Presidential Executive Order.  In March 2009, President Obama appointed David Blumenthal, M.D., M.P.P. to the position. The primary purpose of this position is to aid the Secretary of HHS in achieving the President’s goal for most Americans to have access to an interoperable electronic medical record by 2014 (from the website.)

PHR or ePHR: An electronic, cumulative record of health-related information on an individual, drawn from multiple sources, that is created, gathered, and managed by the individual. The integrity of the data in the ePHR and control of access to that data is the responsibility of the individual.

David Blumenthal, M.D., M.P.P.:Selected by President Obama as his choice for National Coordinator for Health Information Technology Dr. Blumenthal will lead the implementation of a nationwide interoperable, privacy-protected health information technology infrastructure as called for in the American Recovery and Reinvestment Act.