Posted on January 19, 2010 by William Maruca

Tennessee Blues' Data Theft May Impact 500,000 Members

With the HITECH breach notification rules weeks away from taking effect, BlueCross BlueShield of Tennessee is scrambling to control the damage from the October 2009 theft of 57 hard drives containing sensitive patient information. In a notice posted on its website as of January 13, 2010, the company stated that hard drives containing audio and video files related to coordination of care and eligibility telephone calls from providers and members were stolen from a former call center, including video images from computer screens of customer service representatives and audio files of recorded phone conversations. The files contained members’ personal data and protected health information, including members’ names and BlueCross ID numbers, diagnostic information, dates of birth and Social Security numbers. This information was encoded but not encrypted, and the company has no evidence that the data has been accessed or used by the thieves.

The company has chosen to voluntarily follow the HITECH notice rules that formally kick in as of February 22, 2010. They estimate that the breach may have affected up to a total of 500,000 members in all 50 states. So far, they have identified approximately 220,000 members whose data may have been compromised and are in the process of sending them notices by mail. They have identified 32 states with 500 or more members whose data may be at risk. The company notified the Secretary of HHS, the State of Tennessee and the attorney general’s office and media in each state with 500 or more affected members, and notified all three credit bureaus.

 

The company is also offering a one-year free credit-monitoring membership through Equifax to affected members, and three tiers of additional protective services based on the amount of information believed to have been compromised.

 

The company’s first challenge has been to identify affected members. They have engaged a national security consultant, Kroll, Unlike patient information in text or database format that could be easily reviewed to identify patients at risk (and “mined” for identity theft purposes), the hundreds of thousands of audio and video recordings must be manually reviewed.

Tags: , ,
Posted on January 4, 2010 by William Maruca

Getting Meaningful with EHR

 

 The Health InformationTechnology for Economic and Clinical Health Act or the “HITECH Act”  provides incentive payments for adoption and meaningful use of HIT and qualified EHRs.  CMS published a proposed rule defining "meaningful use" on December 30.  It's 566 double-spaced pages long, and can be found here:  http://www.federalregister.gov/OFRUpload/OFRData/2009-31217_PI.pdf.  

An eligible physician or other professional (“EP”) or hospital will be deemed to be a meaningful EHR user of technology certified by HHS if the user:

(1) demonstrates use of certified EHR technology in a meaningful manner;

(2) demonstrates to the satisfaction of the Secretary of HHS that certified EHR technology is connected in a manner that provides for the electronic exchange of health information to improve the quality of health care such as promoting care coordination, in accordance with all laws and standards applicable to the exchange of information; and

(3) using its certified EHR technology, submits to the Secretary, in a form and manner specified by the Secretary, information on clinical quality measures and other measures specified by the Secretary.

 

The measures include:

  • Implement drug-drug, drug-allergy, drug-formulary checks.
  • Input at least at least one diagnosis based on ICD-9-CM or SNOMED CTor an indication of none for 80% of all unique patients seen by the EP or admitted to an eligible hospital.
  • Maintain active medication lists for 80% of patients seen or admitted.
  • Record demographic info including preferred language; insurance type; gender; race; ethnicity and date of birth for 80% of patients seen or admitted
  • Record blood pressure and BMI and plot the growth chart for children age 2 to 20 years old for 805 of patients seen or admitted;
  • Record smoking status of 80% of patients age 13 or over;
  • Generate lists of patients by specific conditions to use for quality improvement, reduction of disparities, research and outreach.
  • Implement five clinical decision support rules relevant to the relevant to specialty or high clinical priority, including for diagnostic test ordering, along with the ability to track compliance with those rules.
  • Check insurance eligibility electronically for  80% of patients
  • Submit 80% of claims electronically
  • Provide summary of care record for at least 80% of transitions of care and referrals
  • Use computerized provider order entry (CPOE) for 80% of orders.
  • Transmit at least 75 percent of all permissible prescriptions electronically.
  • Report clinical quality measures as required by HHS.
  • Send electronic reminders to at least 50 percent of all unique patients seen by the EP that are 50 years of age and over.
  • Provide requested electronic copies of patients’ health information within 48 hours of patient requests in 80% of cases.
  • Provide patients with timely electronic access to their health information (including diagnostic test results, problem list, medication lists, and allergies) within 96 hours of the information being available to the EP for at least 10 percent of all unique patients seen by the EP.
  • Provide clinical summaries to patients for each office visit for at least 80 percent of all office visits.

 

 

Tags: , ,
Posted on June 23, 2009 by Elizabeth Litten

Will Too Much "Meaning" = Not Enough Use?

When I first reviewed the Matrix and other documents released by the HIT Policy Committee’s “Meaningful Use” Workgroup, my initial reaction was “When did defining ‘Meaningful Use’ of EHR morph into attempting to use EHRs to ‘meaningfully’ reform the entire healthcare delivery system.”?  More simply put, the Workgroup’s initial recommendations seemed to me to be over-ambitious.

The term "Meaningful EHR User" in ARRA (at Title IV, subtitle A, section 4104) is described as "an eligible professional" who meets the following criteria: 

  1. demonstrates that he/she is using certified EHR technology in a "meaningful manner, which shall include the use of electronic prescribing";
  2. demonstrates that he/she uses the certified EHR technology to be "connected, in a manner that provides... for the electronic exchange of health information to improve the quality of health care, such as promoting care coordination"; and
  3. submits information on selected "clinical quality measures".   

In my view, the first round of "Meaningful Use" requirements should be specific and reasonably achievable by healthcare providers. For example, perhaps the terms could require that the healthcare provider demonstrate how he/she uses electronic prescribing at least 75% of the time; or, how a provider records patient notes and medical encounter information in a certified EHR for no less than 75% of his/her new patient encounters.   

 

Interestingly, the National Coordinator for HIT decided to “send the workgroup back to work on another set [of recommendations]" for defining Meaningful Use soon after the Workgroup released its first set of recommendations. In the second go around, I think that many in the healthcare industry hope to see Meaningful Use criteria that are attainable by healthcare providers on a practical level. Otherwise, the entire premise of the HITECH Act providing incentives to increase EHR adoption could be thwarted. 

 

Tags: , , , , , ,
Posted on May 11, 2009 by Helen Oscislawski

Fox Rothschild to Participate at NIST and CMS Security Rule Conference

As HITECH refocuses the health care industry’s attention on security, the role of National Institute of Standards and Technology (“NIST”) in developing standards for health information security will become more center stage.  

On May 18, 2009, Fox Rothschild LLP will present at the NIST and CMS Security Rule Conference in Gaithersburg, Maryland called“Safeguarding Health Information:  Building Assurance Through HIPAA Security”.   Elizabeth Litten, Esq., a partner of Fox Rothschild’s Health Law Group, and Co-chair of its Government Relations practice group, will be presenting at the NIST/CMS Security Conference as part of a Panel Discussion on Assessments from the Organizational Perspective.   The panel will share its experiences with, and expectations for, audits, assessments, and compliance reviews, and provide strategies for greater assessment efficiencies.   For further information on the NIST/CMS Security Rule Conference, please visit the NIST website

 

For a copy of the Power Point presentation prepared by Elizabeth and Helen Oscislawski, Esq. for the NIST/CMS Security Rule Conference please visit our Blog again next week, or if you subscribe to our Blog a copy will be e-mailed to you directly. 

Tags: , , , , , , , , ,