Tag: Patient’s Rights
An Indiana resident affected by a data breach at electronic health record vendor Medical Informatics Engineering has filed a class-action lawsuit in federal court against the company, alleging the vendor did not adequately protect its software from a cyberattack, Health IT Security reports (Snell, Health IT Security, 8/5).
On May 26, MIE discovered an attack on its main network and its subsidiary NoMoreClipboard’s network that started on May 7. Only some of the vendor’s clients were affected.
Information on the hacked servers included:
- Email addresses;
- Dictated reports;
- Mailing addresses;
- Medical conditions;
- Names; and
- Social Security numbers.
MIE CEO Eric Jones said it was not immediately clear how many patients were affected (iHealthBeat, 6/17).
The class-action lawsuit, filed by James Young, argues that MIE did not “take available steps to prevent and stop the breach from ever happening.”
The suit, which is joined by more than 100 plaintiffs, also alleges that MIE failed to:
- Disclose to its customers material facts related to the breach; and
- Provide timely notice of the breach.
According to the lawsuit, “As a result of the MIE data breach, numerous individuals whose [health information] was used in a MIE [EHR] have been exposed to fraud and these individuals have been harmed.”
Specifically, the suit claims that Young “suffered actual injury from having his [personally identifiable information] and [personal health information] compromised and stolen in and as a result of the MIE data breach.”
Among other things, the lawsuit seeks to determine whether MIE:
- Engaged in wrongful conduct;
- Failed to meet its responsibility of protecting patients’ health information; and
- Was aware or should have been aware that its systems were vulnerable (Health IT Security, 8/5).
Doctors and hospitals treated more patients and collected more payments in the spring as millions gained insurance coverage under the health law, new figures from the government show.
But analysts called the second-quarter increases modest and said there is little evidence to suggest that wider coverage and a recovering economy are pushing health spending growth to the painful levels of a decade ago.
Thursday’s results from the Census Bureau’s survey of service industries join other recent cost indicators that “are quite a bit lower than what the folks at CMS were projecting,” said Charles Roehrig, director of the Center for Sustainable Health Spending at the Altarum Institute, a nonprofit research and consulting outfit. “And they’re lower than what we were expecting as well.”
CMS is the Centers for Medicare & Medicaid Services, the government’s main health care bookkeeper. Last week CMS projected that health-expenditure growth would accelerate to 5.6 percent this year from an estimated 3.6 percent in 2013.
But health and social spending as measured by the Census Bureau grew by only 3.7 percent from the second quarter of 2013 to the same quarter of 2014. Hospital revenue increased 4.9 percent during the same period. Revenue for physician offices barely budged, growing by only 0.6 percent. Medical lab revenue rose 1.9 percent.
The report is far from being the last word. It doesn’t include spending on prescription drugs, which has been rising this year thanks to new very expensive medicines for hepatitis C.
And while the Census Bureau’s year-over-year results for the second quarter show tame cost trends, the increase from the first quarter to the second was more substantial. Total health and social spending rose at an annual rate of more than 12 percent from first quarter to the next. If sustained, such acceleration would raise alarms and actuaries’ blood pressure.
But some who follow costs closely don’t think the pace will continue.
First, health spending suffered a mini-crash over the winter, as bad storms kept people away from caregivers. Hospitals and doctors billed less from January to March than they did last fall. Part of the second-quarter recovery may just have been catch-up, analysts said.
At the same time, many people covered through the health law’s online marketplaces didn’t sign up until close to the deadline at the end of March. Much of the spring increase may represent a one-time surge as those folks sought treatment for previously neglected conditions.
For those reasons, the year-over-year results for the second quarter may give a better indication of longer-term cost trends than the change from the first quarter to the second, Roehrig said.
Estimates vary, but no one disputes the idea that the Affordable Care Act’s health insurance marketplaces and expansion of Medicaid for the poor have added millions of previously uninsured people to coverage rosters this year.
History and logic suggest that expanded coverage and an improving economy will boost long-term, national health expenditures from their average growth rate of 3.7 percent during the past five years. (That’s spending by everybody — government programs, employer insurance, commercial plans and consumers paying out of pocket.)
But so far the speedup seems nowhere close to the near-double-digit rates in the early 2000s.
Hundreds of Tampa General Hospital patients have had their personal data stolen, the hospital said Friday.
The information included names, addresses, dates of birth, Social Security numbers, admitting diagnoses, and insurers, the hospital said in a media release.
In total, the hospital has sent letters to 675 patients, letting them know they have been affected. Those impacted were scheduled for surgical procedures between October 3, 2011 and August 7, 2014, according to Tampa General.
The hospital said that they have mailed notices to the affected patients. They said they have also set up a call center for the patients to get more information. That number is 1-877-202-4625.
The data breach came to light when the Tampa Police Department contacted the hospital to tell them that, during an arrest, they found four one-page patient cover sheets. The person who was arrested was not a TGH employee, the hospital said.
According to John Dunn, a hospital spokesperson, the information was traced back to unnamed employee, who has been with TGH since 2007 in a non-clinical role.
“(She) would enter orders, do help with scheduling,” said Dunn. “So they were allowed access to medical records, but not allowed to be accessing those records.”
Dr. Jay Wolfson, a professor of Public Health, Medicine & Pharmacy at USF, tells FOX 13 hospitals are making strides in patient confidentiality, but even those with tight security measures are still vulnerable.
“Health care institutions are the single largest source of identity theft in America right now,” said Wolfson. “If it’s happening there, it’s happening elsewhere.”
According to Wolfson, that’s because, in a hospital setting, there are often many documents in a patient’s file and many hands accessing that information.
“It’s vital that whoever’s touching them has exclusive privileges to touch only the part they’re authorized and need to touch,” Wolfson said.
The hospital has set up a call center for the patients to get more information. That number is 1-877-202-4625.
The IRS is conducting its own investigation to see if the employee committed a crime, according to Tampa police.
Recently, Cisco chairman and CEO John Chambers told me that U.S. health care is at a tipping point. A positive one, he hopes, but the truth is no one knows for sure which direction the system will tip.
At the close of our interview, I asked Chambers what health care topic he’d like me to cover in the future. He asked me to answer two questions. And they happen to be the two questions weighing most heavily on the minds of just about every U.S. health policy expert:
Question 1: “How will the health care world move from operating in silos to working together seamlessly?” And question 2: “How will (doing that) help patients achieve the health outcomes that are possible and most important to them?”
Predicting the future is impossible. But these five health care megatrends offer reason for hope – and for concern, as well.
1. The Formation Of Accountable Care Organizations (ACOs)
ACOs are groups of health care providers (primary care physicians, specialists, hospitals, etc.) who band together voluntarily to look after a patient’s total health. ACOs promise to eliminate silos, improve patient outcomes and lower overall health care costs.
At least, that’s the concept.
ACOs were built into the Affordable Care Act (ACA), also known as “Obamacare,” and carry both incentives for better clinical outcomes and the backing of many commercial insurance carriers.
If successful, ACOs could move American health care from its historically fragmented structure to one that provides substantially higher levels of integration and collaboration.
What that means for patients is that fewer will fall between the cracks at the point of care. When a primary care physician is sharing patient information and collaborating with a heart specialist, the probability of error decreases.
What’s the catch? Getting health care providers to work together is no easy feat.
Health care silos have been around for decades. Few doctors are quick to cede their independence or autonomy for the sake of greater collaboration. Meanwhile, hospital administrators don’t like having to share authority with clinicians. They’ve been trained to fill beds, not improve the effectiveness of care.
Most newly formed ACOs have demonstrated the ability to improve the quality of patient care. But few have been able to reverse the rising costs of health care delivery.
Overcoming the cultural issues is likely to prove harder than policy makers would hope.
2. Moving Away From Fee-For-Service Payment Models
Health care’s traditional fee-for-service payment model is flawed. Physicians and hospitals get paid based on volume and complexity of their services – not based on clinical outcomes.
Through these perverse incentives, physicians make more money by doing more tests, seeing patients more frequently and performing high-priced, complex procedures. Under fee-for-service, keeping patients healthy and avoiding major diseases would be relatively unprofitable for doctors and hospitals.
America spends nearly $3.8 trillion a year on health care. That’s 17.6 percent of the gross domestic product (GDP) and significantly more than any other country. Yet our measurable health outcomes – from infant mortality to life expectancy – rank nowhere near the top of developed nations.
Some health care delivery systems are adopting viable alternatives called prospective payments. These include bundled payments – a single payment for an entire episode of care (a start-to-finish treatment for any given patient). They’re also exploring capitation – a negotiated payment for a given period to cover the costs for a group of patients with clear expectations around quality and service.
Both approaches seek to shift financial incentives away from volume to providing total care for the patient. They’re about moving from sick care to health care.
And there have been some successes here. Take Pacific Business Group on Health (PBGH). Rather than generating a bill for hundreds of individual tests and procedures, PBGH is requiring hospitals and doctors to charge a single, all-inclusive price. In 2008, the purchasing group limited what it would pay for total joint hip replacements to $30,000. As a result, participating hospitals dropped the price of the procedure.
What’s the catch? Before we can generalize about the efficacy of this approach, we must recognize that total joint surgery is a procedure performed by only one group of medical specialists. And their outcomes are consistently good.
What happens when we introduce patients with more complex problems, like those with multiple chronic diseases? With bundled payments and capitation, physicians and hospitals will need to figure out how to distribute revenue among care providers from different specialties.
And this may prove more difficult in practice than theory.
3. Rewarding Better Health Outcomes and Quality
Medicare Advantage is an alternative to the fee-for-service (traditional) Medicare program.
Under Medicare Advantage, the Centers for Medicare & Medicaid Services (CMS) contract with private health plans to provide Medicare beneficiaries with medical coverage.
Patients enrolled in Medicare Advantage agree to obtain care from a specific group of physicians and hospitals. In return, subscribers enjoy lower out-of-pocket expenses.
Participating organizations must report quality and patient satisfaction data to CMS on an annual basis.
Based on this information, each Medicare Advantage program is awarded one to five stars. The Medicare stars program rewards the highest-rated organizations – the ones with superior quality, the greatest success in prevention and the highest levels of patient satisfaction – with additional payments.
What’s great about this program is that it aligns incentives and puts more power in the hands of patients. If the doctors and hospitals don’t perform, the health plans with which they contract receive a lower rating. And each year, patients get to assess which Medicare Advantage provider is right for them.
This program shows a lot of promise. It has demonstrated improved clinical outcomes and increased patient satisfaction. As a result, nearly half of all newly enrolled Medicare members select a Medicare Advantage plan.
What’s the catch? In spite of this success, most Medicare beneficiaries are still in the older fee-for-service payment model.
The Medicare Advantage model may be the future’s preferred approach. It combines many of the elements for success: choice, accountability and transparency. And it could well provide the force needed to tip the U.S. health care system in the right direction.
4. Health Information Technology (healthIT) Incentives
The year is 2014. Technology drives nearly every American industry. But look behind the reception desk at your doctor’s office and there’s a good chance you’ll find a maze of file-folders stuffed with patient information – just as it was 20 years ago.
As part of the recent HiTECH legislation, physicians were offered $44,000 to purchase, install and demonstrate “meaningful use” of modern information technology systems.
These computer systems can provide doctors with important clinical information and help them coordinate with other medical colleagues. As a result, physicians will be able to make better clinical decisions and avoid duplication of tests or procedures.
What’s the catch? Lack of connectivity.
You’d think that doctors and hospitals would share a single technology platform or would, at least, be able to achieve connectivity between their systems.
That’s not the case. Progress in linking disparate technology systems has been slower and more difficult than previously imagined.
Meaningful Use “Stage 2” will provide incentives for interoperability (the ability of making systems and organizations work together). But it remains to be seen whether these federal incentives will be enough to offset the cost required to connect these systems.
Having taken the original dollars, physicians must now deliver on the “meaningful use” requirements. But to net a positive ROI on the IT investment, physicians will need to modify their practices – something they have not been interested in doing in the past.
5. A New Generation Of Physicians
The new generation of physicians are tech-savvy. They can’t imagine their lives without mobile devices or constant connectivity.
And in school, they were trained to work in teams – unlike their elder colleagues. As a result, a majority of new docs prefer to be employed by an established organization (a hospital or an integrated health care system, for example) rather than launching their own private practice.
Their backgrounds and predilections align well with what willAmerican health care will need in the future.
What’s the catch? Many Gen X and Y physicians value and expect greater work-life balance than physicians who came before them. And their enthusiasm may wane once they realize how sluggish the profession has been in embracing new technology.
On the other hand, when patients begin choosing this next generation to care for them, the world of health care may tip rapidly.
Will Change Happen?
Physicians and hospitals are moving forward in each of these areas. They are forming ACOs, accepting new forms of payment, focusing on preventive services, reducing medical errors, and learning to benefit from computer systems.
Still, many providers are hedging their bets.
Some of their practice is bundled and prepaid, but much remains fee-for-service. Some patient information is available through their computers, but much remains on paper. Some are hoping that the prevailing megatrends in health care are just fads. Some will continue to resist change.
What many don’t recognize is what John Chambers emphasized heavily in our interview. The economics will drive change in health care, whether we like it or not.
Change will happen one way or another.
Florida Healthcare Plus, a Medicare HMO and drug plan, is under state review for making a $600,000 error in a financial statement and has been temporarily blocked from enrolling any new members, its chief executive says.
The company, based in Coral Gables, was also recently fined $113,200 by the federal Centers for Medicare and Medicaid Services (CMS) for a different type of infraction — “systemic failures” to provide all the benefits due to members under CMS rules.
The fine was explained in a July 17 letter to Florida Healthcare Plus’ CEO Susan Molina from Gerard J. Mulcahy, director of the CMS enforcement group for Medicare Advantage and drug plans. He wrote that in a December 2013 review, CMS determined that the plan had delayed or denied some patients’ access to their medications. Also, some of the HMOs’ members who filed complaints or appeals faced inappropriate delays or denials of the right to access a health service, the letter said.
Molina was not in charge at the time of the December audit. She was brought in by investors to turn the HMO around in January.
The accounting error, which occurred this summer, involved a duplicate listing of a capital contribution on a quarterly report to the Florida Office of Insurance Regulation, Molina said. “They caught it; we didn’t, unfortunately,” she said.
The error caused the HMO to fall below the required amount in capital reserves by a small amount, which was quickly rectified, Molina said. But the damage was done.
“The state of Florida asked us to stop enrolling until they can complete an investigation of our financials to make sure everything is okay,” Molina said. She said the review would start next week and that OIR officials would be on-site Sept. 15.
OIR spokesman Harvey Bennett said the agency cannot confirm or comment on any ongoing reviews.
The enrollment freeze will have only a minor impact unless it lasts more than a month. Open-enrollment season for Medicare plans begins Oct. 15. Florida Healthcare Plus has only 11,000 members.
“We’re small but we believe we can make it through this,” Molina said.
The plan has been in trouble with CMS before, as Health News Florida reported in April. The federal agency fined the plan more than $40,000 that month for failing to notify its members in the fall of 2013 of the changes in the plan for 2014.
Aside from its headquarters in Miami-Dade County, Florida Healthcare Plus also has an office in Tampa.
According to cloud security vendor Skyhigh Networks, more than 13% of cloud services used in healthcare are high‒risk and 77% are medium risk ‒ as measured across 54 different security attributes (like data encryption and “two factor” authentication).
As if to add emphasis to this exact point, risqué celebrity photos were hacked over the weekend in what is being rumored as a potentially broader attack on Apple’s iCloud service.
While cloud vendors have a general responsibility to encrypt data at rest and offer two‒factor authentication (iCloud does), they can’t really dictate the use of important safety measures ‒ especially on the retail/consumer side. In the case of two-factor authentication, it’s an extra, somewhat annoying step and the risks are often thought to be vague or low for casual consumer data. As a gentle reminder, if you haven’t read Mat Honan’s account of how he lost his digital life in one hour, now would be a good time to get that chilling refresher.
Which also underscores healthcare’s broader dilemma. On the one hand, cloud services can offer advanced technical solutions at an attractive price compared to on-premise hardware and software, but issues of privacy and security are also very different for healthcare. Recent statistics from Skyhigh Networks also serve to emphasize these concerns.
The recent breach at Community Health Systems (4.5 million patient records) could well be the tipping point in the on-premise versus cloud debate ‒ at least in healthcare. While the forensic analysis is still underway, it appears that the Heartbleed bug did play a leading role in the breach and that means open‒source software was a contributing factor to what is now the 2nd largest data breach in U.S. healthcare. I’m equally sure that CHS wasn’t alone in the use of free open‒source software for this critical security component.
There’s nothing inherently wrong with open‒source software, of course, but its use in healthcare for protecting patient records does make it higher risk because there is no software warranty of any kind. The pending class action lawsuit against CHS could well hinge on this one point because it could go to the heart of another legal phrase ‒ negligence. Should CHS (or really any healthcare entity) rely on open‒source software as a mission-critical component of web security in protecting patient records?
All of which highlights the broader issues around cybersecurity in healthcare:
- The gap between offense and defense is growing and continues to favor the attackers. They only need one exploit or vulnerability whereas IT departments have to protect against the entire attack surface.
- Cyber experts as a resource are in high demand ‒ and dwindling supply. This doesn’t bode well for healthcare generally ‒ which has tended to downplay the importance of IT infrastructure and typically under-funds security specifically.
- As evidenced by CHS, “bad actors” are no longer lone hackers for quick profit ‒ but are well organized “advanced persistent threats” that are often coordinated by large groups on behalf of entire countries (Russia, Ukraine, China etc..).
Leading software security vendor Symantec offers these five elements of an “advanced persistent threat.” While there’s no way to know for sure at this stage, I estimate the cost of the CHS breach at somewhere between $75 million and $150 million. Whatever the final amount, its relatively easy for a 31,000 bed hospital system (with a market cap of $6 billion) to absorb, but a large data breach could easily cripple a smaller system or facility. Even small ones have millions of patient records. In that sense, the debate between on-premise and cloud solutions could well be coming to an end. Cloud solutions may well be the only way that large segments of the healthcare industry are able to address critical IT infrastructure issues like security. Healthcare today can’t afford the talent or the resources to staff advanced security operations centers (SOC’s), but they need the advanced protection that newer technology solutions can deliver.
That’s where companies like Skyhigh Networks represent a potentially strong fit for healthcare. Founded in 2011 (with more than $66 million in venture funding to date), Skyhigh helps organizations to discover, analyze and control thousands of cloud services in use throughout an entire enterprise.
“Cloud technology is a logical imperative for healthcare because it offers compelling IT value across a wide range of services and solutions, but it also poses new security challenges and threats. We intuitively know that we can’t eliminate all risk, so organizations across the healthcare spectrum need to take a proactive, risk-informed and actively monitored approach to leveraging all the cloud benefits while maximizing for the various attributes related to security.” Rajiv Gupta – Founder, CEO of Skyhigh Networks
Unbreakable data security doesn’t exist and isn’t likely to appear in the foreseeable future. All we really have are varying degrees of sophisticated defenses in attempts to thwart increasingly sophisticated attacks. In healthcare, being able to afford the newer defense mechanisms and lower risk profiles is likely to include a wide range of cloud options. That could logically include relatively new ones like Skyhigh Networks.