Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Health Plans Need Your Records: Know What’s Driving Requests and How to Be Prepared

Posted on July 26, 2016 I Written By

The following is a guest blog post by Craig Mercure, Chief Operating Officer of Payer Solutions at CIOX Health.
Craig Mercure
Audits. Reviews. HEDIS. Stars Ratings. No matter what, health plan record requests are growing by leaps and bounds each year. And the stakes are high for health plans to ensure they receive medical records in a timely way. What we also know – the large volume of requests and submission deadlines can put a drain on provider resources.

High volumes of medical record requests make it more important than ever for providers and health plans to work cooperatively and collaboratively. Here’s some helpful background on what’s driving the request for medical records and how providers can be prepared.

There are three primary health plan reviews that receive the most focus: Medicare Risk Adjustment, HEDIS Reviews, and Affordable Care Act (ACA) Medical Records Retrieval (MRR). While there are also other ad hoc requests related to fraud, waste and abuse (e.g., Risk Adjustment Data Validation (RADV), Medicaid, etc.), these three health plan reviews cause the most provider abrasion. Medical practices are getting hammered by them.

Say, for example, that a provider chooses 10 health plans. That provider is going to receive requests from each plan for all three of the main reviews, as well as the ad hoc requests. This has a major influence on record release and all other staff members that are impacted by it. The operational impact of receiving, verifying and fulfilling these requests is growing every year.

Here’s how the top three health plan reviews break down:

Medicare Risk Adjustment (MRA) reviews documentation and diagnosis codes to ensure proper reimbursement from the Centers for Medicare and Medicaid Services (CMS). Most records are retrieved from the primary care physician (PCP), specialty doctors, and in-patient stays—wherever the true value of a particular chart may reside. The MRA reviews typically begin in June and goes through early January.

Volumes have skyrocketed to 18 million record requests over the past several years. Plans are prioritizing Medicare Advantage plans and want to research every member. Therefore, depending on the percentage of Medicare Advantage patients seen by an organization, this review can hit providers hard. Medicare Risk Adjustment reviews are most prevalent in late summer and early fall with the end date for all plans to submit all 2015 diagnoses by January 31, 2017.

Two of the primary pain points for health plans are revenue and quality of care. Consider this hypothetical scenario. A healthy Medicare Advantage member has a score of zero. However, if that member develops diabetes within a given year, the score grows to 2.8. The health plan would receive 2.8 times the normal Medicare expenditure to care for that patient. While demographics and regional data also contribute to determining true ratings, this example is very realistic.

From a quality perspective, the health plan’s purpose for medical record reviews is to identify patients with chronic disease before they fall through the cracks. Plans attempt to effectively communicate with members and secure PCP visits before more costly encounters such as emergency or acute inpatient care occur.

Healthcare Effectiveness Data and Information Set (HEDIS) Reviews are driven by the National Committee for Quality Assurance (NCQA), a 501(c)(3) not-for-profit organization dedicated to improving the quality of health care so patients can make informed decisions about which plan they want to choose. HEDIS collects measures from plans, PPOs, physicians, and other organizations which is fed into a 5-star rating system. This rating system has become a marketing tool to help patients find the best health plans. It’s intended to allow patients to make “apples to apples” comparisons of health plans, similar to how you might shop for a car. The review season is typically February to mid-May.

Affordable Care Act (ACA) Medical Records Retrieval (MRR) is in its first year. These reviews are conducted during the same time frame as HEDIS. ACA-MRR has adopted similar risk methodologies as Medicare Advantage.

For providers, dealing with these reviews has become part of doing business with health plans. However, the amount of operational planning and time required to keep up with all the various requests can be monumental. Each provider site is configured differently in terms of medical record systems and IT security. Many providers outsource the chart retrieval (also called release of information—ROI) function to relieve the burden.

Gathering data in the trenches

Information to fulfill the health plan request may come from PCPs, acute-care hospitals, extended and rehabilitation facilities—wherever the health plan determines that the chart holds the most value. Also, caregivers provide medical records to health plans in a variety of ways. These include, but are not limited to: remote access, portals, secure FTP, CDs, mail, flash drives, emails, scans, and the old-fashioned standard—printed paper. While paper is dwindling, some still exists.

The majority of Medicare Advantage and ACA reviews are at the provider level. Sometimes thousands of records are involved. This can be a huge burden on physicians. Most health plan reviewers are interested in documents describing face-to-face interactions between clinician and member, such as progress notes and encounter notes based on specific dates of service.

For health plans and chart retrieval companies, the goal is always to obtain the necessary information with a minimal amount of provider abrasion. Two specific technology capabilities help smooth the process.

Electronic documentation embedded within the provider’s EMR

Various EMR systems and provider sites capture patient encounter notes differently. Some locations might not capture or maintain the encounter and progress information that is needed in an easy-to-retrieve electronic format.

Remote connectivity to retrieve information

Remote connectivity allows real-time access for the data needed by the health plan or chart retrieval service, mitigating the need for labor-intensive processes and onsite technicians.

An experienced chart retrieval service, like CIOX Health, satisfies the information demands of health plans while also reducing operational workload for providers. They’re responsible for securely linking both sides of the health plan review equation.

Experience eases chart retrieval

A chart retrieval service that repeatedly contracts with a specific health plan for reviews gains a year-over-year advantage. They’ve already connected to all the various provider systems and obtained security clearance. Every year they spend in the trenches, they learn and gain experiential data—giving them a head start for next year’s audit season.

Providers want to be fully compliant with health plan requests. They want to honor the request as quickly and efficiently as possible. Provider preference is to work with one chart retrieval service versus multiple ones over several health plans.

A single service can also field calls and inquiries from all the various health plans. Health plans want records to meet their review requirements, and they can be aggressive if records are past due. An experienced chart retrieval service helps both stakeholders move efficiently through the process—including remote connectivity—to meet health plan deadlines.

Finally, a centralized health information management (HIM) department is another way to ease the burden for providers. With centralization, all records and requests are aggregated. While centralized HIM is common practice in hospitals and health systems, it is not always feasible for physician practices and medical groups.

Cooperative steps must be taken to support health plan reviews while also reducing provider abrasion and operational costs. By working together, both plans and providers remain satisfied and smooth the process for everyone involved.

About Craig Mercure
Craig oversees all aspects of business development, including strategic planning, sales, client services, marketing, product development, finance and communications. He also leads the infrastructure development of the company as it grows, which includes: systems, processes, pipeline management, trade support, marketing, facilities, personnel recruitment and development. Over the past 15 years, Craig has worked in executive leadership positions within the electronic medical record and medical documentation industry.

Joint Commission Now Allows Texting Of Orders

Posted on May 17, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

For a long time, it was common for clinicians to share private patient information with each other via standard text messages, despite the fact that the information was in the clear, and could theoretically be intercepted and read (which this along with other factors makes SMS texts a HIPAA violation in most cases). To my knowledge, there have been no major cases based on theft of clinically-oriented texts, but it certainly could’ve happened.

Over the past few years, however, a number of vendors have sprung up to provide HIPAA-compliant text messaging.  And apparently, these vendors have evolved approaches which satisfy the stringent demands of The Joint Commission. The hospital accreditation group had previously prohibited hospitals from sanctioning the texting of orders for patient care, treatment or services, but has now given it the go-ahead under certain circumstances.

This represents an about-face from 2011, when the group had deemed the texting of orders “not acceptable.” At the time, the Joint Commission said, technology available didn’t provide the safety and security necessary to adequately support the use of texted orders. But now that several HIPAA-compliant text-messaging apps are available, the game has changed, according to the accrediting body.

Prescribers may now text such orders to hospitals and other healthcare settings if they meet the Commissioin’s Medication Management Standard MM.04.01.01. In addition, the app prescribers use to text the orders must provide for a secure sign-on process, encrypted messaging, delivery and read receipts, date and time stamp, customized message retention time frames and a specified contact list for individuals authorized to receive and record orders.

I see this is a welcome development. After all, it’s better to guide and control key aspects of a process rather than letting it continue on underneath the surface. Also, the reality is that healthcare entities need to keep adapting to and building upon the way providers actually communicate. Failing to do so can only add layers to a system already fraught with inefficiencies.

That being said, treating provider-to-provider texts as official communications generates some technical issues that haven’t been addressed yet so far as I know.

Most particularly, if clinicians are going to be texting orders — as well as sharing PHI via text — with the full knowledge and consent of hospitals and other healthcare organizations — it’s time to look at what it takes manage that information more efficiently. When used this way, texts go from informal communication to extensions of the medical record, and organizations should address that reality.

At the very least, healthcare players need to develop policies for saving and managing texts, and more importantly, for mining the data found within these texts. And that brings up many questions. For example, should texts be stored as a searchable file? Should they be appended to the medical records of the patients referenced, and if so, how should that be accomplished technically? How should texted information be integrated into a healthcare organization’s data mining efforts?

I don’t have the answers to all of these questions, but I’d argue that if texts are now vehicles for day-to-day clinical communication, we need to establish some best practices for text management. It just makes sense.

OCR Cracking Down On Business Associate Security

Posted on May 13, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

For most patients, a data breach is a data breach. While it may make a big difference to a healthcare organization whether the source of a security vulnerability was outside its direct control, most consumers aren’t as picky. Once you have to disclose to them that the data has been hacked, they aren’t likely be more forgiving if one of your business associates served as the leak.

Just as importantly, federal regulators seem to be growing increasingly frustrated that healthcare organizations aren’t doing a good job of managing business associate security. It’s little wonder, given that about 20% of the 1,542 healthcare data breaches affecting 500 more individuals reported since 2009 involve business associates. (This is probably a conservative estimate, as reports to OCR by covered entities don’t always mention the involvement of a business associate.)

To this point, the HHS Office for Civil Rights has recently issued a cyber-alert stressing the urgency of addressing these issues. The alert, which was issued by OCR earlier this month, noted that a “large percentage” of covered entities assume they will not be notified of security breaches or cyberattacks experienced by the business associates. That, folks, is pretty weak sauce.

Healthcare organizations also believe that it’s difficult to manage security incidents involving business associates, and impossible to determine whether data safeguards and security policies and procedures at the business associates are adequate. Instead, it seems, many covered entities operate on the “keeping our fingers crossed” system, providing little or no business associate security oversight.

However, that is more than unwise, given that the number of major breaches have taken place because of an oversight by business associates. For example, in 2011 information on 4.9 million individuals was exposed when unencrypted backup computer tapes are stolen from the car of a Science Applications International Corp. employee, who was transporting tapes on behalf of military health program, TRICARE.

The solution to this problem is straightforward, if complex to implement, the alert suggests. “Covered entities and business associates should consider how they will confront a breach at their business associates or subcontractors,” and make detailed plans as to how they’ll address and report on security incidents among these group, OCR suggests.

Of course, in theory business associates are required to put their own policies and procedures in place to prevent, detect, contain and correct security violations under HIPAA regs. But that will be no consolation if your data is exposed because they weren’t holding their feet to the fire.

Besides, OCR isn’t just sending out vaguely threatening emails. In March, OCR began Phase 2 of its HIPAA privacy and security audits of covered entities and business associates. These audits will “review the policies and procedures adopted and employed by covered entities and their business associates to meet selected standard interpretation specifications of the Privacy, Security, and Breach Notification Rules,” OCR said at the time.

The Downside of Interoperability

Posted on May 2, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

It’s hard to argue that achieving health data interoperability is not important — but it comes with risks. And I’ve seen little discussion of the fact that interoperability may actually increase the chance that a major attack could hit a wide swath of healthcare providers. It might be extreme to suggest that we put off such efforts until we step up the industry’s security status, but the problem shouldn’t be ignored either.

Sure, data interoperability is a critical goal for healthcare providers of all stripes. While there’s room to argue about how it should be accomplished, particularly over whether providers or patients should drive health data management, there’s no question it needs to get done. There’s little doubt that most efforts to coordinate care will fall flat if providers are operating with incomplete information.

And what’s more, with the demand for interoperability baked into MACRA, we pretty much have no choice but to make it happen anyway. To my knowledge, HHS has proposed neither carrot nor stick to convince providers to come on board – nor has it defined “widespread” interoperability to my knowledge — but the agency has to achieve something by 2018, and that means change will come.

That being said, I’m struck by how little industry concern there seems to be about the extent to which interoperability can multiply the possibility of a breach occurring. Unfortunately, security is only as good is the weakest link in the chain, and data sharing increases the length of the chain exponentially. Of course, the risk varies a great deal depending on who or what the data-sharing intermediary is, but the fact remains that a connected network is a connected network.

The problem only gets worse if interoperability is achieved by integrating applications. I’m no software engineer, but I’m pretty sure that the more integrated providers’ infrastructure is, the more vulnerabilities they share. To be fair, hospitals theoretically vet their partners, but that defeats the purpose of universal data sharing, doesn’t it?

And even if every provider in the universal data sharing network practices good security hygiene, they can still get attacked. So it’s not a matter of requiring participants to comply with some network security standard, or meet some certification criteria. Given the massive incentives these have to steal health data (and lock it up with ransomware), nobody can hold out forever.

The bottom line is that I believe we should discuss the matter of security in a fully-connected health data sharing network more often.

Yes, we almost certainly need to press ahead and simply find a way to contain the risks. We simply can’t afford our fragmented healthcare system, and data interoperability offers perhaps the best possible chance of pulling it back together.

But before we plunge into the fray, it only makes sense to stop and consider all of the risks involved and how they should be addressed. After all, universal interconnection exposes a virtually infinite number of potential points of failure to cybercrooks. Let’s put some solutions on the table before it’s too late.

Breach Affecting 2.2M Patients Highlights New Health Data Threats

Posted on April 4, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

A Fort Myers, FL-based cancer care organization is paying a massive price for a health data breach that exposed personal information on 2.2 million patients late last year. This incident is also shedding light on the growing vulnerability of non-hospital healthcare data, as you’ll see below.

Recently, 21st Century Oncology was forced to warn patients that an “unauthorized third party” had broken into one of its databases. Officials said that they had no evidence that medical records were accessed, but conceded that breached information may have included patient names Social Security numbers, insurance information and diagnosis and treatment data.

Notably, the cancer care chain — which operates on hundred and 45 centers in 17 states — didn’t learn about the breach until the FBI informed the company that it had happened.

Since that time, 21st Century has been faced with a broad range of legal consequences. Three lawsuits related to the breach have been filed against the company. All are alleging that the breach exposed them to a great possibility of harm.  Patient indignation seems to have been stoked, in part, because they did not learn about the breach until five months after it happened, allegedly at the request of investigating FBI officials.

“While more than 2.2 million 21st Century Oncology victims have sought out and/or pay for medical care from the company, thieves have been hard at work, stealing and using their hard-to-change Social Security numbers and highly sensitive medical information,” said plaintiff Rona Polovoy in her lawsuit.

Polovoy’s suit also contends that the company should have been better prepared for such breaches, given that it suffered a similar security lapse between October 2011 and August 2012, when an employee used patient names Social Security numbers and dates of birth to file fraudulent tax refund claims. She claims that the current lapse demonstrates that the company did little to clean up its cybersecurity act.

Another plaintiff, John Dickman, says that the breach has filled his life with needless anxiety. In his legal filings he says that he “now must engage in stringent monitoring of, among other things, his financial accounts, tax filings, and health insurance claims.”

All of this may be grimly entertaining if you aren’t the one whose data was exposed, but there’s more to this case than meets the eye. According to a cybersecurity specialist quoted in Infosecurity Magazine, the 21st Century network intrusion highlights how exposed healthcare organizations outside the hospital world are to data breaches.

I can’t help but agree with TrapX Security executive vice president Carl Wright, who told the magazine that skilled nursing facilities, dialysis centers, imaging centers, diagnostic labs, surgical centers and cancer treatment facilities like 21st are all in network intruders’ crosshairs. Not only that, he notes that large extended healthcare networks such as accountable care organizations are vulnerable.

And that’s a really scary thought. While he doesn’t say so specifically, it’s logical to assume that the more unrelated partners you weld together across disparate networks, it multiplies the number of security-related points of failure. Isn’t it lovely how security threats emerge to meet every advance in healthcare?

Cyber Breach Insurance May Be Useless If You’re Negligent

Posted on March 28, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Ideally, your healthcare organization will never see a major data breach. But realistically, given how valuable healthcare data is these days — and the extent to which many healthcare firms neglect data security — it’s safer to assume that you will have to cope with a breach at some point.

In fact, it might be wise to assume that some form of costly breach is inevitable. After all, as one infographic points out, 55 healthcare organizations reported network attacks resulting in data breaches last year, which resulted in 111,809,322 individuals’ health record information being compromised. (If you haven’t done the math in your head, that’s a staggering 35% of the US population.)

The capper: if things don’t get better, the US healthcare industry stands to lose $305 billion in cumulative lifetime patient revenue due to cyberattacks likely to take place over the next five years.

So, by all means, protect yourself by any means available. However, as a recent legal battle suggests, simply buying cyber security insurance isn’t a one-step solution. In fact, your policy may not be worth much if you don’t do your due diligence when it comes to network and Internet security.

The lawsuit, Columbia Casualty Company v. Cottage Health System, shows what happens when a healthcare organization (allegedly) relies on its cyber insurance policy to protect it against breach costs rather than working hard to prevent such slips.

Back in December 2013, the three-hospital Cottage Health System notified 32,755 of its patients that their PHI had been compromised. The breach occurred when the health system and one of its vendors, InSync, stored unencrypted medical records on an Internet accessible system.

It later came out that the breach was probably caused by careless FTP settings on both systems servers which permitted anonymous user access, essentially opening up access to patient health records to anyone who could use Google. (Wow. If true that’s really embarrassing. I doubt a sharp 13-year-old script kiddie would make that mistake.)

Anyway, a group of presumably ticked off patients filed a class action suit against Cottage asking for $4.125 million. At first, cyber breach insurer Columbia Casualty paid out the $4.125 million and settled the case. Now, however, the insurer is suing Cottage, asking the health system to pay it back for the money it paid out to the class action members. It argues that Cottage was negligent due to:

  • a failure to continuously implement the procedures and risk controls identified in the application, including, but not limited to, its failure to replace factory default settings and its failure to ensure that its information security systems were securely configured; and
  • a failure to regularly check and maintain security patches on its systems, its failure to regularly re-assess its information security exposure and enhance risk controls, its failure to have a system in place to detect unauthorized access or attempts to access sensitive information stored on its servers and its failure to control and track all changes to its network to ensure it remains secure.

Not only that, Columbia Casualty asserts, Cottage lied about following a minimum set of security practices known as a “Risk Control Self Assessment” required as part of the cyber insurance application.

Now, if the cyber insurer’s allegations are true, Cottage’s behavior may have been particularly egregious. And no one has proven anything yet, as the case is still in the early stages, but this dispute should still stand as a warning to all healthcare organizations. If you neglect security, then try to get an insurance company to cover your behind when breaches occur, you might be out of luck.

The Easiest Form of Healthcare Information Blocking – Charge for It

Posted on March 23, 2016 I Written By

John Lynn is the Founder of the blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of and John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I’ve watched the discussion around information blocking in healthcare with a lot of interest. I’ve seen many people (including the government) talk about how information blocking is a major issue in healthcare and that we need to do something to solve the problem of information blocking. I’ve read other organizations who have searched for information blocking and say they can’t find it and that people are overstating the issue of information blocking.

I do think that some people overstate how big of an issue information blocking is, but I know that it’s a problem. Sometimes the information blocking is done purposefully, but other times it’s happening without much thought as to why they should or shouldn’t take part in information sharing.

As I’ve watched this discussion evolve and the drive towards interoperability I’ve realized that what’s happening in interoperability today could very well be the easiest and most legal form of information blocking that exists: charge for the information.

When I look into the future of information sharing, I can see EHR vendors salivating at these new found revenue streams associated with data sharing. Sure, it will only be pennies or fractions of a penny to share each record. However, when you spread that across millions and millions of records those fractions of a penny really start to add up.

When I look at the interoperability options that are being built today, these options are going to be able to charge for access to this data in a very granular way. All the data sharing is easily tracked and if it’s being tracked it can easily be charged for. I expect large healthcare organizations are going to have to start creating entire budgets dedicated to the cost of interoperability.

Once this happens smaller healthcare organizations are going to be blocked out of accessing the data. However, they won’t be literally blocked out of accessing the data like they are now. Instead, they’ll have access to the data, but the cost to access the data will be so much that they’ll be unable to access the data due to the high costs.

If you’re someone who’s a fan of information blocking, this is the perfect solution. No one can tell you that they couldn’t get access to the data, because they could get access to the data. All they had to do was pay for it. The fact that they couldn’t afford to access the data is a different issue. I expect this day will come sooner than we think.

Ransomware Crisis Demands Provider Cooperation

Posted on February 22, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

A few days ago, the sadly-predictable news broke that a U.S. hospital had been hit with a ransomware attack. Initial reports were that hackers demanded that Hollywood (CA) Presbyterian Medical Center pay $3.4M in bitcoins to regain access to its data. The hospital refused, and began working with paper to meet its patients’ needs. However, it was later reported that the $3.4 million number was wrong and the hospital was only asked to pay $17,000. The hospital chose to pay the ransom and got data access back.  But the mere fact that Hollywood Presbyterian got off relatively easily shouldn’t blind us to the growing ransomware threat, nor the steps we need to take to address this crisis.

Now, before I ramble on about what I think should be done, please bear in mind that I’m an HIT analyst and writer, not a network engineer. So the modest proposal is coming from a non-technical person, but I do believe that it has some merit as an idea. Hopefully readers will continue to improve, debate, and educate us on the merits and challenges of the idea in the comments.

Here’s my proposal. Whereas:

* Hospitals can’t afford to have their data randomly locked any more than airlines can afford to have their engines do so, AND

* Nobody wants to voluntarily create a ransomware market that grows steadily stronger as hospitals pay up, SO

I suggest we find a new way for hospitals to cover each others’ back. The idea would be to make it more or less impossible for hackers to capture all of another hospital’s data.

Here’s where I get hazy, so follow me — and criticize me, please — but what if every hospital had a few sister hospitals which held part of the day’s data backup?  I can see attackers shimmying through every currently available connection at a single institution, but would all five be vulnerable if they only connected in the event a data lockout at hospital A?

Even if such a peer to peer architecture would work, I’m not sure it would be practical. After all, it’s one thing to download an illegal software copy via P2P and quite another to help restore a terabyte or more of data.

Also, it certainly hasn’t escaped me that there are serious competitive concerns involved in setting up such arrangements, though those could certainly be mitigated by the fact that no sister hospital would have a complete data set for Hospital A.

Even if this idea is utter garbage, however, I believe we’ve reached a point where if we’re going to fight ransomeware, some form of deep industry cooperation is necessary. Let’s not wait for patients to be harmed or die due to data lock-out.

Could the Drive to Value-Based Healthcare Undermine Security?

Posted on November 27, 2015 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

As we all know, the healthcare industry’s move toward value-based healthcare is forcing providers to make some big changes. In fact, a recent report by peer60 found that 64% of hospitals responding cited oncoming value-based reimbursement as their top challenge. Meanwhile, only 30% could say the same of improving information security according to peer60, which recently surveyed 320 hospital leaders.

Now, the difference in concern over the two issues can be chalked up, at least in part, to the design of the survey. Obviously, there’s a good chance that a survey of CIOs would generate different results. But as the report’s authors noted, the survey might also have exposed a troublesome gap in priorities between health IT and the rest of the hospital C-suite.

It’s hardly surprising hospital leaders are focused on the life-and-death effects of a major change in payment policy. Ultimately, if a hospital can’t stay in business, protecting data won’t be an issue anymore. But if a hospital keeps its doors open, protecting patient data must be given a great deal of attention.

If there is a substantial gap between CIOs and their colleagues on security, my guess is that the reasons include the following:

  • Assuming CIOs can handle things:  Lamentable though it may be, less-savvy healthcare leaders may think of security as a tech-heavy problem that doesn’t concern them on a day-to-day level.
  • Managing by emergency:  Though they might not admit it publicly, reactive health executives may see security problems as only worth addressing when something needs fixing.
  • Fear of knowing what needs to be done:  Any intelligent, educated health exec knows that they can’t afford to let security be compromised, but they don’t want to face up to the time, money and energy it takes to do infosec right.
  • Overconfidence in existing security measures:  After approving the investment of tens or even hundreds of millions on health IT, non-tech health leaders may find it hard to believe that perfect security isn’t “built in” and complete.

I guess the upshot of all of this is that even sophisticated healthcare executives may have dysfunctional beliefs about health data security. And it’s not surprising that health leaders with limited technical backgrounds may prefer to attack problems they do understand.

Ultimately, this suggests to me that CIOs and other HIT leaders still have a lot of ‘splaining to do. To do their best with security challenges, health IT execs need the support from the entire leadership team, and that will mean educating their peers on some painful realities of the trade.

After all, if security is to be an organization-wide process — not just a few patches and HIPAA training sessions — it has to be ingrained in everything employees do. And that may mean some vigorous exchanges of views on how security fosters value.

Health Information Governance of 3rd Party Vendors

Posted on August 26, 2015 I Written By

John Lynn is the Founder of the blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of and John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I love when my eyes are opened to an issue that I haven’t heard people talking about. That’s what happened when I heard Deborah Green from AHIMA say that health information governance includes your third party vendors. I’m not sure how many organizations realize this and treat it appropriately.

What’s ironic is that we definitely do this with HIPAA. This is particularly true in the HIPAA omnibus world. Healthcare organizations have a certain expectation around security and privacy when it comes to their third party vendors. It’s a major part of every RFP I’ve ever seen in healthcare.

Why then don’t we treat information governance with third parties the same as we do with HIPAA?

My guess is that some organizations do, but they haven’t really thought about it in this way. It’s an informal part of how they deal with third party vendors. For example, how are third party vendors storing your organization’s health data? Do they dispose of it properly? etc etc etc. These are all great health information governance questions that we’re asking ourselves, but are we asking our third party vendors these questions as well? Should we be asking them?

One challenge I think we face is that we assume that if we’re paying a vendor to do something, that the vendor is going to do it the right way. We assume that a paid service is going to be done in the best way possible. I’m sure your experience like mine is that just isn’t the case. Was it Reagan that said, Trust but verify? That seems appropriate in this instance.

What’s clear to me is that health data is going to become more and more valuable to healthcare organizations. Making sure you have a handle on that data is going to be an important part of ensuring your financial future. That includes making sure that your third party vendors use good health information governance principles as well.