Tag: Patient Safety

Justices To Weigh Doctor’s Care Before Patient Suicide

The Florida Supreme Court will hear arguments next month in a medical-malpractice dispute that focuses on whether a family physician provided adequate care before a patient committed suicide.

The court released a schedule Thursday that said arguments in the Sarasota County case will be heard Sept. 2. The case stems from the October 2008 death of Jacqueline Granicz, who was a patient of family physician Joseph Chirillo and had been treated for depression.

Granicz, 55, called the doctor’s office the day before her suicide and complained of issues such as mental strain, according to court documents. After learning about the call from an assistant, Chirillo decided to change Granicz’s medication and refer her to a gastroenterologist for gastrointestinal issues.

Granicz’s husband, Robert, filed the lawsuit alleging that Chirillo was negligent in his handling of the situation, at least in part because the doctor did not see the patient after the call.

A circuit judge granted summary judgment to Chirillo.

But the 2nd District Court of Appeal last year reversed that decision, allowing the lawsuit to move forward — and prompting Chirillo to ask the Supreme Court to hear the case. In a brief filed in February, Chirillo’s attorneys argued, in part, that the suicide could not be foreseeable to Chirillo and that state law treats suicide differently than other types of injuries or death.

“There are sound legal and practical reasons — already explained by Florida courts — for a physician to be held not to owe a legal duty to an outpatient who commits suicide, and thus, for this unique injury to be governed by different rules than those applicable to physical injuries alleged to be caused by medical malpractice,” the brief said.

But in a March brief, Robert Granicz’s attorneys pointed to expert testimony that Chirillo should have seen Jacqueline Granicz and assessed her condition after the call to the doctor’s office.

“Doctors can foresee that failing to treat their patients in a timely and proper fashion puts them in harm’s way,” the Granicz brief said. “Drilling down further, doctors treating patients for depression can foresee that failing to treat them in a timely and competent manner may result in suicide.”

 

Class-Action Lawsuit Filed Against EHR Vendor Over Data Breach

An Indiana resident affected by a data breach at electronic health record vendor Medical Informatics Engineering has filed a class-action lawsuit  in federal court against the company, alleging the vendor did not adequately protect its software from a cyberattack, Health IT Security reports (Snell, Health IT Security, 8/5).

Background

On May 26, MIE discovered an attack on its main network and its subsidiary NoMoreClipboard’s network that started on May 7. Only some of the vendor’s clients were affected.

Information on the hacked servers included:

  • Birthdates;
  • Email addresses;
  • Dictated reports;
  • Mailing addresses;
  • Medical conditions;
  • Names; and
  • Social Security numbers.

MIE CEO Eric Jones said it was not immediately clear how many patients were affected (iHealthBeat, 6/17).

Lawsuit Details

The class-action lawsuit, filed by James Young, argues that MIE did not “take available steps to prevent and stop the breach from ever happening.”

The suit, which is joined by more than 100 plaintiffs, also alleges that MIE failed to:

  • Disclose to its customers material facts related to the breach; and
  • Provide timely notice of the breach.

According to the lawsuit, “As a result of the MIE data breach, numerous individuals whose [health information] was used in a MIE [EHR] have been exposed to fraud and these individuals have been harmed.”

Specifically, the suit claims that Young “suffered actual injury from having his [personally identifiable information] and [personal health information] compromised and stolen in and as a result of the MIE data breach.”

Among other things, the lawsuit seeks to determine whether MIE:

  • Engaged in wrongful conduct;
  • Failed to meet its responsibility of protecting patients’ health information; and
  • Was aware or should have been aware that its systems were vulnerable (Health IT Security, 8/5).

FDA Fears Hacking Risks In Medical Devices; Says Hospira Pump Should Not Be Used

Hackers may be able to hijack the intravenous pumps at the hospitals. The U.S. Food and Drug Administration warned hospitals against using Hospira’s Symbiq Infusion System because of a hacking risk.

The Symbiq Infusion System delivers medications intravenously. The dosage is programmed through the hospital network. The FDA said if the device is hacked, the dosage to a level can be changed, putting patients at risk.

The Department of Homeland Security earlier issued a similar warning about the the pump’s vulnerability to cyberattack. Billy Rios, a cybersecurity expert, said the pump can be hacked remotely by accessing a hospital network.

“There’s no question that these vulnerabilities can be used to kill someone — we wrote an exploit that would do just that and gave the research to the Department of Homeland Security and the FDA,” said Rios, a former Google software engineer.

Meanwhile, the Symbiq manufacturer Hospira has suspended production and distribution of the pump. Hospira said in a statement it is working in close association with hospitals to deploy a software update to all such devices.

“In alignment with Hospira’s cybersecurity roadmap, we’ve designed our next-generation infusion systems with enhanced network security protections in place,” the statement said.

In addition to the intravenous pumps, there are several other medical devices, including insulin pumps and pacemakers, that may be vulnerable. Such devices receive data wirelessly or over a hospital’s network, a feature that makes them vulnerable to cyberattack.

States warn Medicaid managed-care rule would shrink their authority over plans

As expected, the CMS’ sweeping rule to modernize the regulation of Medicaid managed-care plans is drawing flak from state Medicaid directors and insurers who say it would impose heavy-handed federal control and could hurt patient care.

But some consumer advocacy groups responded favorably to the proposed rules, saying they offer guidance to states and Medicaid plans in developing provider networks that offer better access to beneficiaries.

The 653-page rule released in May would cap how much premium revenue private plans could allocate for administration and profits; require states to more rigorously supervise the adequacy of plans’ provider networks; encourage states to establish quality rating systems for plans; allow more behavioral healthcare in institutional settings; and encourage the growth of managed long-term care.

The proposed rule was considered long overdue because Medicaid managed-care enrollment has soared by 48% to 46 million beneficiaries, according to consulting group Avalere Health. By year-end the firm estimates that 73% of beneficiaries will receive services through managed-care plans.

Currently, 37 states and the District of Columbia contract with Medicaid plans, according to Medicaid Health Plans of America.

States have turned to Medicaid managed-care plans hoping to reduce costs and get more budget predictability. Insurers, however, have faced criticism for offering inadequate provider networks and denying needed care to pad their bottom lines. Because of the wide variation in how states run their Medicaid managed-care programs, there have been “inconsistencies” and “less-than-optimal results,” the CMS said when it issued the proposed rule.

Last year, HHS’ Office of Inspector General reported that states were not enforcing their own rules to ensure Medicaid plans had enough providers to care for their patients.

The last federal regulation governing such plans was issued in 2002. The proposed rule received nearly 900 comments by the July 27 comment deadline.

The National Association of Medicaid Directors said in its written comments that the rule would reduce the role of state Medicaid agencies in supervising how Medicaid managed care operates in their states. “The overarching framework of the regulation appears to shift the balance of authority for Medicaid managed care to the federal government, driving a top-down model that runs counter to the goal of a modernized regulatory framework,” the group said.

That approach, the group added, “removes the ability of states to drive innovation in managed-care delivery, to fully leverage the relationship to improve plan performance, or to tailor the approach to reflect the needs and expectations of the local population.”

A CMS representative did not respond to a request for comment for this article.

The Medicaid directors criticized a provision that would require states to offer Medicaid beneficiaries at least 14 days of initial coverage under traditional fee-for-service Medicaid, during which time they could choose a managed-care plan. “This policy fails to recognize that many states no longer have (fee for service) delivery models in their program,” the group complained.

Medicaid plans objected to the CMS’ proposal that they be required to spend 85% of premium revenue on medical care, a threshold known as a medical loss ratio. The Affordable Care Act set minimum medical loss ratios of 80% and 85% for individual and large-group plans in the commercial sector; money spent on administrative costs and profit above those limits must be rebated to consumers or employer purchasers. As of 2015, health plans doing business with Medicaid and the Children’s Health Insurance Program are the only ones that are not subject to such thresholds.

The health insurance industry had lobbied against inclusions of a minimum medical loss ratio, but experts said the proposed Medicaid requirement would not have much effect on large national insurers. About three-quarters of states with Medicaid managed care already require average medical loss ratios of at least 85%, according to the Kaiser Family Foundation.

Still, the Blue Cross and Blue Shield Association argued in its written comments that the benefits and services offered by managed-care organizations do not easily fit into the commercial medical loss ratio calculation. For example, managed-care plans spend significant resources on beneficiary outreach, partnering with local organizations for health promotion activities, and services to enhance patient compliance with treatment plans.

“Accounting for these expenditures in the MLR methodology may be challenging,” the Blues association said. “In addition, federal and state Medicaid reporting requirements require significantly more administrative resources beyond what commercial and Medicare programs require, making meeting an 85% MLR more difficult.”

To ensure that Medicaid beneficiaries have adequate access to care, the CMS is proposing that states establish time and distance standards for enrollees’ access to providers. The agency mostly left the development of these standards to the states.

At a minimum, Medicaid plans’ provider networks must meet such standards for certain types of providers, including hospitals, primary-care physicians and OB-GYNs, according to the proposed rule. The CMS said time and distance more accurately capture whether beneficiaries have adequate access to care than provider-to-enrollee ratios. States must also consider whether plans offer an adequate number of providers who speak languages other than English. In addition, the CMS encouraged states to include pediatric primary, specialty and dental providers in their network rules because of the large number of children covered under Medicaid and CHIP.

But Medicaid plans warned such requirements could hurt care for beneficiaries. “Requiring that states establish access standards based on the travel time and distance to a provider’s office relies on outdated notions of ‘traditional’ models of care delivery and does not take into account the variety of ways in which patients now commonly access healthcare, including via telemedicine,” Kaiser Permanente, which operates Medicaid plans, said in its comments. “Mandating the use of time and distance standards works to preserve the structure of geographically dispersed, disjointed provider networks and would do nothing to improve the quality of care provided to Medicaid beneficiaries.”

Geography-based standards also could discourage integrated delivery systems like ACOs, plans said.

But the National Health Law Program, a consumer advocacy group, praised the network adequacy provisions. “For too long, the Medicaid managed-care program has lacked specific network adequacy standards aimed at ensuring that consumers can access care from their Medicaid plans,” the group said. “These proposed provisions add significant detail to guide states and Medicaid plans in developing their networks to ensure adequacy.”

Medicaid Health Plans of America criticized a proposed provision eliminating the requirement that Medicaid plan enrollees provide written consent for a provider to file an appeal on their behalf following an adverse benefits decision. The CMS said requiring Medicaid enrollees to provide written consent is inconsistent with standards for the Medicare Advantage program.

“The language in the proposed rule may encourage providers to use the appeal process as a way to file claims payment disputes, which is not the intent of the grievance or appeal process,” the health plan group said in its comments.

Anthem wrote that “we believe that the proposed approach could potentially result in providers operating in furtherance of their own self-interest.”

Kidney-care providers to face 2% cut to Medicare payments and see new quality metrics

Kidney-care providers could see their Medicare payments reduced by up to 2% in the next few years if they do not score high enough on quality measures.

The CMS on Friday proposed updates to policies and payments for end-stage renal disease, which would affect payments to more than 6,000 U.S. kidney dialysis facilities.

In recent years, the agency has focused on efforts to drive high-quality care, such as disease prevention, chronic disease management, improving outcomes and promoting efficiency.

The ESRD proposal released last week is part of that broader push. It would change how dialysis facilities are reimbursed by linking a portion of their payments directly to quality scores. It would also eventually add new metrics to the ESRD Quality Improvement Program.

There are currently 11 measures to evaluate end-stage renal disease care through the quality program. They include eight clinical measures, such as: how many patients receive the best vein access method (arteriovenous fistula) versus the least recommended (catheter), how well toxins are being filtered from the blood during dialysis; infection rates; and how well hypercalcemia is controlled. They also include three reporting measures, including patient experience, anemia and bone mineral metabolism management.

The CMS assigns a score for each measure, and those scores are later combined to create a “total performance score”—which ranges from zero to 10- for each facility. Centers that do not meet the minimum score established by a benchmark determination would be financially penalized up to 2% of its Medicare reimbursement.

It is estimated that the treatment of end-stage renal disease costs Medicare $34 billion in 2011, about 6% of all Medicare spending. Hemodialysis for end-stage renal disease costs the program about $88,000 annually per patient.

The CMS plans to add quality-of-life measures, such as pain and depression management and readmission rates in 2018. By 2019, two new measures will be adopted: one looking at seasonal flu vaccination, and ultrafiltration rates, a process for removing excess water and sodium from the body of kidney-failure patients.

Although studies have suggested that higher ultrafiltration rates in hemodialysis patients are associated with a greater risk of all-cause and cardiovascular deaths, nephrologist Dr. Alan Kliger, chief quality officer for Yale New Haven Health System, cautions against the premature use of the ultrafiltration metric.

Higher amounts of life-threatening fluids accumulate between treatments for patients who eat or drink more than recommended, and they would need ultrafiltration. “That doesn’t necessarily mean that higher filtration causes more deaths,” Kliger said. “They may be dying not because we are ultrafiltering them more but because they have physiologies that make them more dangerous patients.”

That particular measure has not been endorsed by the National Quality Forum, a nonprofit that reviews and endorses quality improvement metrics. In a  draft report issued in June, the NQF’s Renal Standing Committee declined to recommend the metric the CMS plans to adopt and instead recommended a different one for ultrafiltration.

Dr. Frank Maddux, chief medical officer of Fresenius Medical Care, one of the two largest U.S. dialysis providers, expressed similar concerns about CMS’ use of measures that are either not endorsed or are being considered for removal by NQF.

He also raised questions about measures for standardized transfusion and hospitalizations, which he said appear to rely on baseline performance data submitted in 2013 for the 2018 payment year.

“It strikes me that those measures are not very mature,” he said. That’s a major concern since a 2% reduction is a “substantial issue all providers take seriously.”

However, even imperfect measures can work if they are valid, reliable and feasible in the evolution of the systems to capture data, Maddux said. “They become points of concentration for the organizations that are providing care.”

But, he added, “If that concentration is not aligned with the state of the science, then we aren’t spending our time on those things that are most important.”

Cyberattack exposes data of 11 million Premera Blue Cross members

Premera Blue Cross, a health plan in the Pacific Northwest, was hit with the second-biggest cyberattack in healthcare industry history, exposing the personal, financial and medical information of more than 11 million customers.

The Mountlake Terrace, Wash.-based company discovered the attack on Jan. 29, 2015. An investigation revealed that the initial attack occurred May 5, 2014. The breach affected Premera Blue Cross, Premera Blue Cross and Blue Shield of Alaska, and Premera affiliate brands Vivacity and Connexion Insurance Solutions.

Premera said the company has not been able to determine if any data was actually removed from the company’s systems and that there’s no evidence that any of the records in the breached system have used inappropriately.

The revelation comes just six weeks after Anthem, the nation’s largest investor-owned Blues licensee, disclosed that hackers had stolen the records of nearly 80 million from its IT system.

Information exposed in the hack dates back to 2002. The company said the records could include members’ names, dates of birth, Social Security numbers, mailing addresses, e-mail addresses, telephone numbers, member identification numbers, bank account information and claims information, including clinical information.

As with the Anthem hack, the Premera breach affects some customers of other Blues plans that participate in the national, reciprocal claims payment network called BlueCard, a Premera spokeswoman confirmed. The network is often used for members who travel out of their insurer’s service area for care.

Premera Blue Cross is beginning to mail letters to affected customers offering two years of free credit monitoring and identity theft protection. The company also has established a call center and and a website, www.premeraupdate.com, dedicated to information about the breach.

“We at Premera take this issue seriously and sincerely regret the concern it may cause,” Premera CEO Jeff Roe said in a statement. “As much as possible, we want to make this event our burden, not that of the affected individuals, by making services available today to help protect people’s information.”

If the ongoing investigation confirms that no data was removed from Premera’s system, customers could less of a risk than Anthem’s customers. But the company may be offering protection to customers because it can’t be sure that’s the case, said Mac McMillan, a healthcare security expert and founder of CynergisTek, an Austin, Texas-based security consultancy.

“It could very well be they can’t prove the negative,” McMillan said. “They can’t disprove that these people had access to that information.”

It’s possible but not likely that the individuals could have downloaded the data from Premera’s servers but left no evidence that they removed the data, MacMillan said. Stealing data without leaving a trace is very difficult, he said, because usually only high-level administrators have the ability to eliminate audit trails.

Hackers also may have infiltrated the system without the intention of stealing data, McMillan said. Cyberattackers sometimes look for insecure systems and manipulate them to create bots that can be used in other cyberattacks, he said.

Premera has worked closely with the FBI and Mandiant, a major cybersecurity firm, to investigate and remove the “infection created by the attack,” the company said. An FBI spokeswoman said in a statement that Premera “quickly” notified the law enforcement agency about the attack but declined to give a specific time frame.

In the Anthem hack, the initial investigation indicated that members’ bank or clinical records were not exposed. The inclusion of that information in the Premera breach makes it particularly disconcerting, said Pam Dixon, executive director of the World Privacy Forum, a San Diego based not-for-profit organization that pioneered research into the field of medical identity theft.

“The recent spate of advanced medical breaches show us that the word is out about the value of medical data, and the sophisticated level of criminals making these attacks,” Dixon said in a statement. “Patients need to be prepared and educated about both medical ID theft and phishing, and providers need to be honest about the risk of medical forms of ID theft.”

Cyberattacks are one of the least common ways that protected health information is exposed, but the episodes typically involve dramatically bigger numbers of records.

Nearly three-quarters of the records exposed in healthcare breaches reported to HHS have been linked to cyberattacks, even though those attacks account for less than 10% of the breaches, according to a Modern Healthcare analysis of HHS data.

“(Hackers) clearly have an eye on these types of organizations who hold financial information, but also very sensitive healthcare information,” said Paul Bantick, an underwriter for cybersecurity insurer Beazley, which also provides services for organizations responding to attacks.

“The best way for these organizations to mitigate the damage,” Bantick said, “is to respond and contain it as best as you can.”