Preparation is key to HIPAA compliance for health IT vendors

Health IT vendors are not breach proof but should be “breach ready,” according to a Health Care Compliance Association webinar entitled, HIPAA: Marketing and Contracting Solutions for Health IT Vendors. William J. Roberts, partner at Shipman & Goodman LLP, discussed strategies for vendors to incorporate compliance with the Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191) into negotiations, agreements, and policies.

HIPAA landscape

HIPAA privacy continues to grow in importance for the health care sector, for both covered entities and their vendors. Roberts said that health IT vendors face two challenges: managing covered entity customers that have concerns about HIPAA compliance, a “major undertaking” when a vendor has thousands of covered entity customers, and a regulatory and enforcement landscape that is shifting its focus from covered entities to vendors (see 2017 OCR resolution agreements off to a strong start, June 30, 2017; Business associates no longer second to covered entities as OCR increases focus, November 22, 2016). He pointed out that 60 percent of business associates have suffered a data breach, and in 2016 HHS imposed a $650,000 penalty in the first HIPAA enforcement action against a business associate (see $650K payment, 6 year CAP resolve nursing home ePHI loss, July 1, 2016).

Pitches

A vendor should already have developed a formal HIPAA compliance program before reaching out to potential customers, and HIPAA compliance should be at the forefront of a vendor’s pitch or response to a request for proposals. The vendor should provide a summary of its HIPAA compliance policies, including its establishment, review, security, and training. A policy summary, said Roberts, is preferable to disclosing the policies themselves, which would be a “roadmap to being hacked.” Roberts also advised vendors to highlight certifications and set forth clear expectations for the privacy aspects of the proposed relationship.

Business associate agreements

The business associate agreement is a vendor’s first opportunity to make a good impression regarding its commitment to privacy. Vendors should have at least one template agreement, or more than one for different types of customers. Roberts advised knowing what a vendor can and cannot agree to before a negotiation and educating the sales team to avoid later back-pedaling on a promise. He also suggested empowering the customer by providing a “menu” of choices that are acceptable to the vendor—for example, barebones breach notice within five days or a more thorough notice at 15 days.

If customers are or might someday be substance abuse treatment providers, the vendor should consider this same approach for qualified service organization agreements. The vendor should review its customers and potential targets for the application of the “Part 2” confidentiality rules and include a provision in the agreement requiring the customer to notify the vendor of the customer’s status as a Part 2 program.

Data breach response

No human or service is perfect, and a vendor will probably have a data breach at some point, said Roberts, which makes a detailed data breach response plan “vital.” He identified the following elements of a breach response plan:

  • Develop an incident intake procedure.
  • Identify the leaders and members of the response team.
  • Rely on standard templates and standard works.
  • Consider a “playbook” and/or a breach reporting decision tool.
  • Develop a customer relations strategy before the breach occurs.
  • Have support vendors ready to act.

The vendor should not simply notify the customer that a breach has occurred; it should have a plan and proposal that it can offer the customer. The process should:

  • provide the covered entity the information it needs to fulfill its own legal obligations;
  • reassure the customer that the situation is under control and being handled properly;
  • inform the customer of steps the vendor has taken and is willing to take on behalf of the covered entity;
  • provide a “menu” of services available to the customer; and
  • create a plan for the future—a holistic look at what the company is doing, not just boilerplate language.

Webinar gives tips on improving next eCQM submissions

Health care compliance professionals who are involved in electronic clinical quality measures (eCQM) submissions should prepare now for their 2017 submissions, according to Catherine Gorman Klug RN, MSN, Director, Quality Service Line, for Nuance Communications. In a Health Care Compliance Association (HCCA) webinar titled, “eCQM Lessons Learned and How to Prepare for 2017 Submissions,” Klug warned attendees about hidden dangers, including the lack of experience for eCQM vendors, inaccurate data submissions, and the challenges posed by multiple types of electronic health record (EHR) data files generated from more than one system. She also gave recommendations for reducing risk and listed sample questions for the information technology (IT) department.

CMS requires hospitals to report eight of 15 eCQMs, with data reported for the entire year. According to Klug, the agency expects “one file, per patient, per quarter,” that includes all episodes for care and measures associated with the patient. Many hospitals use vendors to assist with the eCQM submissions, but Klug noted that vendors must have an adequate amount of time to respond to required changes before submission, and that although many vendors support a broad number of eCQMs, they may lack adequate depth of coverage. Hospitals should choose vendors who are experienced in the eCQMs they are reporting. Further, there is no way to validate the files submitted. Possible consequences include an annual payment update reduction, failure to receive the EHR incentive payment, or poor quality scores on CMS’ Hospital Compare site.

To reduce risks, hospitals should ask the core measures vendor to validate files before submission to CMS. They should also review file error reports from the vendor and make corrections before the data is submitted. Aggregated file error reports should also be reviewed to ensure that formatting or data elements don’t result in an inaccurate submission. Klug said that accurate coding is absolutely essential. Therefore, hospital IT departments should be prepared to explain how files are validated prior to submission to ensure accuracy, and if not, what the remediation strategy is. Further, compliance professionals should request a file error report, and any other reports to help understand the data being submitted.

Value-based payments and EHRs expected to continue trajectory during reform

Despite the uncertainty surrounding health care reform under the upcoming Trump administration, health law experts project that the transition to value-based payments and further development of electronic health record (EHR) systems will be a constant in the coming years. Four of Avalere Health’s senior vice presidents offered their opinions during the 2017 Healthcare Industry Outlook webinar, making educated guesses about what upcoming changes the industry may see.

What will change?

The webinar started with the topic on everyone’s mind: what will happen to the Patient Protection and Affordable Care Act (ACA)? Broadly, the presenters expect that federal spending on health care will be capped and states will be granted more flexibility in designing their Medicaid programs. Reduction of regulations to encourage the private sector to provide a range of products in a competitive market is also to be expected.

The likelihood of repeal was discussed for several different ACA sections. The most likely to be repealed were the individual and employer mandates, subsidies, industry taxes, Medicare tax for high earners, and cuts to disproportionate share hospitals. Certain reforms, like protection for pre-existing coverage, drug related provisions, and changes to Medicare Advantage and Medicaid payment provisions are considered likely to remain. Subjects likely to be up for serious debate are Medicaid expansion, the Center for Medicare & Medicaid Innovation (CMMI), essential health benefits, and the preventive services coverage requirement.

Other areas

The focus on quality and value in health care is not expected to waver during the new administration. In light of significant regulatory and policy barriers, providers are unable to establish outcome-based contracts and create more innovative payment arrangements. More flexibility in the ability to establish and agree on value between parties is expected to be a policy pressure point.

The value discussion typically focuses on provider performance, but the presenters noted that drugs are an important value consideration, especially in light of rising costs. The traditional approach to determining drug value is expected to evolve, as frameworks had previously been established based on clinical benefit, toxicity, and product cost, which ignored patient considerations and relied too much on data from limited populations. In addition to incorporating more real world data, drug value frameworks have begun to focus on not only on health outcomes, but patient experiences and financial considerations during treatment.

Although “virtually every hospital” is using some sort of EHR system, interoperability continues to be a sticking point. In the near future, the ability to more effectively use, share, and interact with data is expected to improve. Continued advancements in studying data is also expected to change the way providers practice, including big advances in population health.

Annual report shows Health IT dramatically improving quality of care

Since the passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act, the health information technology (health IT) landscape has dramatically evolved, with hospitals and health care providers using health IT more than ever. In 2015, 96 percent of hospitals and 78 percent of physician offices used certified EHR technology. The Office of the National Coordinator for Health Information Technology (ONC) details the advancements made in the health IT landscape in its 2016 Report to Congress on Health IT Progress.

Reporting requirements

Section 13113(a) of the American Recovery and Reinvestment Act of 2009 (ARRA) (P.L. 111-5), under the HITECH Act, requires HHS to submit to the appropriate committees of the House of Representatives and the Senate a report (1) describing the specific actions that have been taken by the federal government and private entities to facilitate the adoption of a nationwide system for the electronic use and exchange of health information; (2) describing barriers to the adoption of such a nationwide system; and (3) containing recommendations to achieve full implementation of such a nationwide system. This is the annual update to the previous submissions, which were released on January 17, 2012, June 21, 2013, October 9, 2014, and February 29, 2016.

HHS priorities

The progress of health IT allowed for a transition in focus for HHS to the seamless and secure flow of health information, or interoperability. The advancements set the foundation for delivery system reform, the Cancer Moonshot, combating the opioid epidemic, the Precision Medicine Initiative, clinical innovation, and protecting and advancing public health. HHS has focused on three priority areas:

  • promoting common standards to facilitate the seamless and secure exchange of data, including through the use of standardized, open application programming interfaces (APIs);
  • building the business case for interoperability, particularly through delivery system reform efforts that change the way CMS pays for care to reward quality over quantity of services; and
  • changing the culture around access to information through combating information blocking; ensuring that individuals know they have a right to access and transmit their health information and that health care providers know they must provide access to the individuals; and reminding health care providers that they are legally allowed to exchange information in the course of treatment or coordinating care.

Health IT changing the provision of care

The rapid adoption of health IT has facilitated increased use of functionalities that have real-world clinical impacts. These include clinical decision support, which can point health care providers to evidence-based clinical guidelines at the point of care, facilitate an enhanced diagnosis or treatment path, and alert providers to potentially harmful drug interactions. Hospitals and physicians have also gained the ability to exchange more electronic health information than ever, with 82 percent of non-federal acute care hospitals electronically exchanging laboratory reports, radiology reports, clinical summaries, or medication lists. Approximately 90 percent of hospitals reported that they routinely had clinical information needed from outside sources or health care providers available at the point of care. Notably, EHR systems have transformed the prescribing and dispensing of medications, with e-prescribing systems lowering costs, improving care, and saving lives by reducing medication errors and checking for drug interactions.

Increased access to health information

Digitizing the U.S. health system has empowered individuals to be more in control of their own health decisions. Those with electronic access to their health information can monitor chronic conditions, better adhere to treatment plans, find and fix errors in their records, and directly contribute their information to research. Today, 95 percent of hospitals have the capability to allow patients this type of access.