Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

The Power of Combining Clinical & Claims Data

Posted on November 16, 2017 I Written By

The following is a guest blog by Monica Stout from MedicaSoft

Whether the goal is to improve outcomes or increase efficiency, the healthcare industry finds itself searching for more and better data to support its efforts. Clinical data provides substantial details on patient encounters, but it is often difficult to assemble and integrate data from more than one healthcare provider. Claims data is better at following a patient across multiple care providers, but lacks information on patient health status and outcomes. Individually, both sets of data tell helpful stories, from chronicling the cost of care to reflecting how medicine is practiced. Together, clinical and claims data provide a fuller picture of a patient’s interactions with health care systems, the costs involved, and the results achieved. This larger picture provides the information that healthcare providers and insurers can use to guide their actions.

Assembling this data and making it available in a useful framework remains challenging. Data is not always available from providers and payers. When data is available, it is often not standardized (a particular issue with clinical data), making analysis difficult. So, how do organizations avoid investing time and money in efforts that fail to produce meaningful results? How do you make the data useful and improve patient satisfaction, care quality, and drive down system costs?

  1. Better data sharing agreements. Both providers and payers need more stringent data sharing agreements in place as well as insistence that they receive good data from plans.
  2. Address data quality issues head-on. Use real experts armed with specific tools to address any data quality issues within an organization.
  3. Use technology to help. Clinical data platforms can aggregate and integrate data into clinically relevant patient records, and claims data platforms extract relevant information from the complexity of the underlying claims data. Further, new advanced platforms help integrate clinical and claims data to support meaningful analytics.

Bringing together clinical data and claims data in a form that supports a variety of tools and analytics is key to the efforts of both healthcare providers and payers to improve outcomes, quality, and cost. This integrated data approach will yield better results than can be achieved with clinical or claims data alone. Stakeholders can and should leverage both policy and technology to develop solutions that produce meaningful results.

Are you combining clinical and claims data in your organization? What value have you gotten out of doing so? Why aren’t you doing it if you’re not?

About Monica Stout
Monica is a HIT teleworker in Grand Rapids, Michigan by way of Washington, D.C., who has consulted at several government agencies, including the National Aeronautics Space Administration (NASA) and the U.S. Department of Veterans Affairs (VA). She’s currently the Marketing Director at MedicaSoft. Monica can be found on Twitter @MI_turnaround or LinkedIn.

About MedicaSoft
MedicaSoft designs, develops, delivers, and maintains EHR, PHR, and UHR software solutions and HISP services for healthcare providers and patients around the world. MedicaSoft is a proud sponsor of Healthcare Scene. For more information, visit www.medicasoft.us or connect with us on Twitter @MedicaSoftLLC, Facebook, or LinkedIn.

Communication Strategies Must Include Caregivers, Too

Posted on November 9, 2017 I Written By

The following is a guest blog post by Chelsea Kimbrough from Stericycle Communication Solutions, as part of the Communication Solutions Series of blog posts. Follow and engage with them on Twitter: @StericycleComms

Chelsea KimbroughMillions of healthcare-centric communications occur every day between providers, doctors, professionals, patients, and caregivers. These communications are often focused on the patient. This is a great thing, as the patient is the individual in need of care. Frequently, however, communication strategies are developed to meet patients’ needs and don’t truly consider how to best engage caregivers.

At one point or another, most of us will act as a caregiver for a child, spouse, or parent. We may even be responsible for coordinating multiple patient journeys at once. And should that responsibility come, we’ll likely find the best experiences with healthcare organizations that not only provide excellent patient care, but convenient communications.

According to the National Alliance for Caregiving and AARP, 48 percent of caregivers are 18 to 49-years-old. And as this population ages and more young individuals step into the caregiver role, more caregivers will have been raised in homes with Internet access, smartphones, and more. In order to create caregiver-friendly experiences, healthcare organizations should ensure their communication strategies are mobile-optimized, technology-driven, and readily accessible.

Already, caregivers are seeking out ways to simplify communications with healthcare organizations. Instead of making a telephone call to schedule an appointment, many are opting to schedule appointments on behalf of patients online. By providing an easy-to-use online scheduling platform, healthcare organizations can not only ensure busy caregivers can quickly secure an appointment, they can help drive new patient acquisition.

Likewise, appointment reminders – especially those delivered via text message, which are read in the first three minutes by 90 percent of recipients – can be incredibly beneficial for both patients and healthcare organizations. By sending out a strategically timed reminder in a way caregivers are sure to see, healthcare organizations can decrease no-show rates. Here at Stericycle Communication Solutions, we’ve seen no-show rates drop by as much as 80 percent once our appointment reminder solution was implemented – a figure that impacted both the organization’s population and financial health.

A few other ways healthcare organizations can ensure they are ready to meet caregivers’ evolving needs include:

  • Implementing a website that is mobile-friendly and up-to-date
  • Communicating the same information no matter the tool, technology, department, or professional someone may interact with
  • Ensuring the entities listed above have access to the information they need to provide consistent, reliable experiences
  • Answering all phone calls with a live, friendly voice prepared to meet their every need

Caregivers and patients alike want predictable and repeatable experiences no matter the communication channel they choose to interact with. Dubbed “omnichannel” experiences across commercial sectors, healthcare organizations should implement communication strategies and infrastructure that can keep pace with evolving technology and communication preferences. Healthcare organizations that are readily able to introduce new communication channels will be best positioned to secure loyalty and success.

To learn more about how consumer-minded patients are driving the need for omnichannel experiences in the healthcare industry, check out our recent e-book, OmniWhat?!

The Communication Solutions Series of blog posts is sponsored by Stericycle Communication Solutions, a leading provider of high quality telephone answering, appointment scheduling, and automated communication services. Stericycle Communication Solutions combines a human touch with innovative technology to deliver best-in-class communication services. Connect with Stericycle Communication Solutions on social media: @StericycleComms

HIT for HIEs

Posted on October 17, 2017 I Written By

The following is a guest blog by Mike O’Neill, CEO at MedicaSoft. This is the third blog in a three-part sponsored blog post series focused on new HIT for integration. Each month, a different MedicaSoft expert will share insights on new and innovative technology and its applications in healthcare.

Health Information Exchanges (HIEs) have been in the news lately, and for good reason. With major hurricanes devastating Texas, Florida, the British Virgin Islands, and Puerto Rico, accessibility of patient health information rapidly became a major concern. Electronic Health Record adoption has led to most patient data being in electronic form, but it hasn’t necessarily made that data available when and where care is delivered. HIEs can help make that data available; during the recent storms two HIEs were able to spring to action to help clinicians provide care for patients. The ability of the Houston and San Antonio-area HIEs (Greater Houston Healthconnect (GHHC) and Healthcare Access San Antonio (HASA) to exchange information allowed patient records to be accessed remotely – which was absolutely critical during this natural disaster.

If you were on the fence about “the cloud,” this is the perfect case study in its effectiveness. More than ever, HIEs are called upon to assist by making health records available during critical care encounters. HIEs need modern technology to best serve their communities in these instances, going beyond basic connectivity and interoperability to deliver tangible value using the wealth of data they collect –

  1. Organize the data into meaningful health records. HIEs often have access to years of raw data. They may need help organizing it into a clinical data repository, matching patients, and providing a health record that is clinically useful. This is one way we assist HIEs in using the data they’ve collected.
  2. Provide valuable alerts & notifications. These are useful, especially in a crisis, to locate patients, but they can also give patients notice on events they need to follow-up on. This is another layer we build onto HIEs’ data foundation.

Health records that are useful go a long way – beyond individual hospitals, and regions and state lines. To be useful, health records must go where the patients go, wherever that may be.

An emerging approach to meet this need is the Strategic Health Information Exchange Collaborative (SHIEC’s) Patient-Centered Data Home (PCDH) concept among HIEs. PCDH helps providers access real-time health information across regional and state lines, wherever the patient is seeking care. Regardless of where the clinical data originates, it becomes part of the patient’s longitudinal patient record – the PCDH – giving patients control of their data.

About Mike O’Neill
Mike is the CEO at MedicaSoft. He came to MedicaSoft from the U.S. Department of Veterans Affairs (VA) where he was a Senior Advisor and member of the founding team of the VA Center for Innovation. Mike serves as the Chairman of the Board of Directors of the Open Source Electronic Health Record Alliance (OSEHRA). Prior to VA, Mike was involved in the commercialization of new products and technology in startups and large companies. He is a die-hard Virginia Tech Hokie.  

About MedicaSoft
MedicaSoft designs, develops, delivers, and maintains EHR, PHR, and UHR software solutions and HISP services for healthcare providers and patients around the world. For more information, visit www.medicasoft.us or connect with us on Twitter @MedicaSoftLLC, Facebook, or LinkedIn.

Where Patient Communications Fall Short?

Posted on October 12, 2017 I Written By

The following is a guest blog post by Sarah Bennight, Marketing Strategist for Stericycle Communication Solutions, as part of the Communication Solutions Series of blog posts. Follow and engage with them on Twitter: @StericycleComms

We are constantly switching devices to engage in our daily lives. In fact, in the last ten minutes I have searched a website on my desktop computer, answered a phone call, and checked several text messages and emails on my cellphone. Our ability to seamlessly jump from one device to the next affects our consumer behavior when interacting with places of business.

Today, we can order coffee and groceries online, web chat with our internet service company, and research store offerings before ever physically walking into a building. Traditionally, healthcare consumers had mainly phone support until the 2014 Meaningful Use 2 rule dictated messaging with a physician and patient portal availability. Recently, online scheduling and urgent care check in has been an attractive offering for consumers of health wanting to take control of their calendars and wait times.

Healthcare is certainly expanding functionality and communication channels to meet consumer demand. But where are we falling short? The answer may be relatively simple: data integration. Much like the clinical side of the healthcare business, integration is a gap we must solve. The key to turning technological convenience into optimal experience is evolving multichannel patient interactions into omnichannel support.

Omnichannel means providing a seamless experience regardless of channel or device. In the healthcare contact center, this means ensuring live agents, scheduling apps, chat bots, messaging apps, and all other interaction points share data across channels. It removes the individual information silos surrounding the patient journey, and connects them into one view from patient awareness to care selection, and again when additional care is needed.

In 2016, Cisco Connect cited four key reasons a business should invest in omnichannel consumer experiences, but I believe this resonates in the healthcare world as well:

  1. A differentiated patient and caregiver experience which is personal and interactive. Each care journey is unique, and their initial experiences should resonate and instill confidence in your brand. We now communicate with several generations who have different levels of comfort with technology and online resources. Offering multiple channels of interaction is crucial to success in the competitive healthcare space. But don’t stop there! Integrated channels connecting the data points along the journey into and beyond the walls of the care facility will create lasting loyalty.
  2. Increased profit and revenue. The journey to finding a doctor or care facility begins long before a patient walks in your door. Most of these journeys begin online, by interviewing friends, and checking online reviews. Once an initial decision is made to visit your organization, you can extend your marketing budget by targeting patients who might actually be interested in your services. When you know what your patients’ needs are, there is a greater focus and a higher chance of conversion.
  3. Maintain and contain operating costs. Integrating with EMRs is not always the easiest task. However, your scheduling and reminder platforms must be able talk to each other not only for the optimal experience, but also for efficient internal process management. For example, if a patient receives a text reminder about an appointment and realizes the timing won’t work, they can request to reschedule via text. Real time communication with the EMR enables agents currently on the phone with other patients to see the original appointment open up and grab the slot. Imagine the streamlining with the patient as well in an integrated platform. Go beyond the ‘request to reschedule’ return text and send a message says “We see that you want to reschedule your appointment. Here are some alternative times available”. Take it one step further with a one-step click to schedule process. With this capability, the patient could immediately book without a follow-up phone call reminder or staff having to hunt them down to book.
  4. Faster time to serve the patient. When systems and people communicate pertinent data, faster issue resolution is possible. Healthcare can be scary, and when you address patient and caregiver needs in a timely manner, trust in your organization will grow. In omnichannel experiences, a patient can search for care in the middle of the night online, and when they don’t find an appointment opening a call could be made. Imagine the value of already knowing that a patient was searching for a sick visit for tomorrow morning with Dr. X. With this data in mind, you are able to immediately offer alternatives and keep that patient in your system before they turn to a more convenient option.

You can see how omnichannel experiences are going to pave the way for the future of the contact center. Right now, the interactions with patients before and after treatment provide an enormous opportunity to build trust and further engagement with your organization. By integrating the data and allowing cross-channel experiences that build on each other, the contact center will extend into the main hub of engagement in the future. The time to build that integrated infrastructure is now, because in the near future new channels of engagement will be added and expected. Are you ready to deliver an omnichannel experience?

The Communication Solutions Series of blog posts is sponsored by Stericycle Communication Solutions, a leading provider of high quality call center & telephone answering servicespatient access services and automated communication technology. Stericycle Communication Solutions combines a human touch with innovative technology to deliver best-in-class communication services.  Connect with Stericycle Communication Solutions on social media: @StericycleComms

Eliminate These Five Flaws to Improve Asset Utilization in Healthcare

Posted on October 4, 2017 I Written By

The following is a guest blog post by Mohan Giridharadas, Founder and CEO, LeanTaaS.

The passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act accelerated the deployment of electronic health records (EHRs) across healthcare. The overwhelming focus was to capture every patient encounter and place it into an integrated system of records. Equipped with this massive database of patient data, health systems believed they could make exponential improvements to patient experiences and outcomes.

The pace of this migration resulted in some shortcuts being taken — the consequences of which are now apparent to discerning CFOs and senior leaders. Among these shortcuts was the use of resources and capacity as the basis of scheduling patients; this concept is used by hundreds of schedulers in every health system. While simple to grasp, the definition is mathematically flawed.

Not being able to offer a new patient an appointment for at least 10 days negatively impacts the patient experience. Likewise, exceeding capacity by scheduling too many appointments results in long wait times for patients, which also negatively impacts their experience. The troubling paradox is that the very asset creating long wait times and long lead times for appointments also happens to perform at ~50 percent utilization virtually every day. The impact of a mathematically flawed foundation results in alternating between overutilization (causing long patient wait times and/or long delays in securing an appointment) and under-utilization (a waste of expensive capital and human assets).

Here are five specific flaws in the mathematical foundation of health system scheduling:

1. A medical appointment is a stochastic — not deterministic — event.

Every health system has some version of this grid — assets across the top, times of the day for each day of the week along the side — on paper, in electronic format or on a whiteboard. The assets could be specific (e.g., the GE MRI machine or virtual MRI #1, #2, etc.). As an appointment gets confirmed, the appropriate range of time on the grid gets filled in to indicate that the slot has been reserved.

Your local racquet club uses this approach to reserve tennis courts for its members. It works beautifully because the length of a court reservation is precisely known (i.e., deterministic) to be exactly one hour in duration. Imagine the chaos if club rules were changed to allow players to hold their reservation even if they arrive late (up to 30 minutes late) and play until they were tired (up to a maximum of two hours). This would make the start and end times for a specific tennis appointment random (i.e., stochastic). Having a reservation would no longer mean you would actually get on the court at your scheduled time. This happens to patients every day across many parts of a health system. The only way to address the fact that a deterministic framework was used to schedule a stochastic event is to “reserve capacity” either in the form of a time buffer (i.e., pretend that each appointment is actually longer than necessary) or as an asset buffer (i.e., hold some assets in reserve).

2. The asset cannot be scheduled in isolation; a staff member has to complete the treatment.

Every appointment needs a nurse, provider or technician to complete the treatment. These staff members are scheduled independently and have highly variable workloads throughout the day. Having an asset that is available without estimating the probability of the appropriate staff member also being available at that exact time will invariably result in delays. Imagine if the tennis court required the club pro be present for the first 10 and last 10 minutes of every tennis appointment. The grid system wouldn’t work in that case either (unless the club was willing to have one tennis pro on the staff for every tennis court).

3. It requires an estimation of probabilities.

Medical appointments have a degree of randomness — no-shows, cancellations and last-minute add-ons are a fact of life, and some appointments run longer or shorter than expected. Every other scheduling system faced with such uncertainty incorporates the mathematics of probability theory. For example, airlines routinely overbook their flights; the exact number of overbooked seats sold depends on the route, the day and the flight. They usually get it right, and the cancellations and no-shows create enough room for the standby passengers. Occasionally, they get it wrong and more passengers hold tickets than the number of seats on the airplane. This results in the familiar process of finding volunteers willing to take a later flight in exchange for some sort of compensation. Nothing in the EHR or scheduling systems used by hospitals allows for this strategic use of probability theory to improve asset utilization.

4. Start time and duration are independent variables.

Continuing with the airplane analogy: As a line of planes work their way toward the runway for departure, the controller really doesn’t care about each flight’s duration. Her job is to get each plane safely off the ground with an appropriate gap between successive takeoffs. If one 8-hour flight were to be cancelled, the controller cannot suddenly decide to squeeze in eight 1-hour flights in its place. Yet, EHRs and scheduling systems have conflated start time and appointment duration into a single variable. Managers, department leaders and schedulers have been taught that if they discover a 4-hour opening in the “appointment grid” for any specific asset, they are free to schedule any of the following combinations:

  • One 4-hour appointment
  • Two 2-hour appointments
  • One 2-hour appointment and two 1-hour appointments in any order
  • One 3-hour appointment and one 1-hour appointment in either order
  • Four 1-hour appointments

These are absolutely not equivalent choices. Each has wildly different resource-loading implications for the staff, and each choice has a different probability profile of starting or ending on time. This explains why the perfectly laid out appointment grid at the start of each day almost never materializes as planned.

5. Setting appointments is more complicated than first-come, first-served.

Schedulers typically make appointments on a first-come, first-served basis. If a patient were scheduling an infusion treatment or MRI far in advance, the patient would likely hear “the calendar is pretty open on that day — what time would you like?” What seems like a patient-friendly gesture is actually mathematically incorrect. The appointment options for each future day should be a carefully orchestrated set of slots of varying durations that will result in the flattest load profile possible. In fact, blindly honoring patient appointment requests just “kicks the can down the road”; the scheduler has merely swapped the inconvenience of appointment time negotiation for excessive patient delays on the day of treatment. Instead, the scheduler should steer the patient to one of the recommended appointment slots based on the duration for that patient’s specific treatment.

In the mid-1980s, Sun Microsystems famously proclaimed that the “network is the computer.” The internet and cloud computing were not yet a thing, so most people could not grasp the concept of computers needing to be interconnected and that the computation would take place in the network and not on the workstation. In healthcare scheduling, “the duration is the resource” — the number of slots of a specific duration must be counted and allocated judiciously at various points throughout the day. Providers should carefully forecast the volume and the duration mix of patients they expect to serve for every asset on every day of the week. With that knowledge the provider will know, for example, that on Mondays, we need 10 1-hour treatments, 15 2-hour treatments and so on. Schedulers could then strategically decide to space appointments throughout the day (or cluster them in the morning or afternoon) by offering up two 1-hour slots at 7:10 a.m., one 1-hour slot at 7:40 a.m., etc. The allocation pattern matches the availability of the staff and the underlying asset to deliver the most level-loaded schedule for each day. In this construct, the duration is the resource being offered up to patients one at a time with the staff and asset availability as mathematical constraints to the equation (along with dozens of other operational constraints).

Health systems need to re-evaluate the mathematical foundation used to guide their day-to-day operations — and upon which the quality of the patient experience relies. All the macro forces in healthcare (more patients, older patients, higher incidence of chronic illnesses, lower reimbursements, push toward value-based care, tighter operating and capital budgets) indicate an urgent need to be able to do more with existing assets without upsetting patient flow. A strong mathematical foundation will enable a level of operational excellence to help health systems increase their effective capacity for treating more patients while simultaneously improving the overall flow and reducing the wait time.

About Mohan Giridharadas
Mohan Giridharadas is an accomplished expert in lean methodologies. During his 18-year career at McKinsey & Company (where he was a senior partner/director for six years), he co-created the lean service operations practice and ran the North American lean manufacturing and service operations practices and the Asia-Pacific operations practice. He has helped numerous Fortune 500 companies drive operational efficiency with lean practices. As founder and CEO of LeanTaaS, a Silicon Valley-based innovator of cloud-based solutions to healthcare’s biggest challenges, Mohan works closely with dozens of leading healthcare institutions including Stanford Health Care, UCHealth, NewYork-Presbyterian, Cleveland Clinic, MD Anderson and more. Mohan holds a B.Tech from IIT Bombay, MS in Computer Science from Georgia Institute of Technology and an MBA from Stanford GSB. He is on the faculty of Continuing Education at Stanford University and UC Berkeley Haas School of Business and has been named by Becker’s Hospital Review as one of the top entrepreneurs innovating in healthcare. For more information on LeanTaaS, please visit http://www.leantaas.com and follow the company on Twitter @LeanTaaS, Facebook at https://www.facebook.com/LeanTaaS and LinkedIn at https://www.linkedin.com/company/leantaas.

Top Five Challenges of Healthcare Cloud Deployments and How to Solve Them

Posted on October 2, 2017 I Written By

The following is a guest blog post by Chad Kissinger, Founder of OnRamp.

According to the HIMSS 2016 Survey, 84 percent of providers are currently using a cloud service, showing security and compliance issues are not preventing organizations from deploying cloud environments. Despite growing adoption rates, breaches and security incidents continue to rise. Cloud deployments and ongoing environment management errors are to blame. 

Cloud services offer clear benefits—performance, cost savings, and scalability to name a few—so it’s no wonder healthcare organizations, like yours, are eager to take advantage of all that the cloud has to offer. Unfortunately, vulnerabilities are often introduced to your network when you adopt new technology. Let’s discuss how to identify and overcome common challenges in secure, compliant cloud deployments so you can opportunistically adopt cloud-based solutions while remaining on the right side of the law.

1. Ambiguous Delegation of Responsibilities
When technology is new to an organization, the responsibility of finding and managing that solution is often unclear. You must determine who owns your data. Is it your IT Department? Or perhaps your Security Department? It’s difficult to coordinate different people across departments, and even more difficult to communicate effectively between your organization and your provider. The delegation of responsibilities between you and your business associate will vary based on your service model—i.e. software as a service, infrastructure as a service, etc.

To prevent these issues, audit operational and business processes to determine the people, roles, and responsibilities for your team internally. Repeat the process for those services you will outsource to your cloud provider. Your business associate agreement should note the details of each party’s responsibilities, avoiding ambiguity and gaps in security or compliance. Look for provider credentials verified by third-party entities that demonstrate security levels at the data center level, such as HITRUST CSF and SSAE 16 SOC 2 Type 2 and SOC3.

2.    Lack of Policies, Standards, and Security Practices
If your organization doesn’t have a solid foundation of policies, standards, and security practices, you will likely experience one or more of the security-related issues outlined below. It’s necessary to not only create policies, but also ensure your organization is able to enforce them consistently.

  • Shadow IT. According to a recent HyTrust Cloud Survey of 51 organizations, 40% of cloud services are commissioned without IT input.
  • Cloud Portability and Mobility. Mitigating risks among many endpoints, from wearables to smart beds, becomes more difficult as you add more end points.
  • Privileged User Access. Divide your user access by work role and limit access to mitigate malicious insider attacks.
  • Ongoing Staff Education and Training. Your team needs to be properly trained in best practices and understand the role that they play in cybersecurity.

Proper security and compliance also involves the processes that safeguard your data and the documentation that proves your efforts. Such processes include auditing operational and business processes, managing people, roles and identities, ensuring proper protection of data and information, assessing the security provisions for cloud applications, and data decommissioning.

Communicate your security and compliance policies to your cloud provider to ensure their end of the operations falls in line with your overall plan.

3. Protecting Data and Meeting HIPAA Controls
The HIPAA Privacy Rule, the HIPAA Security Rule, and HITECH all aim to secure your electronic protected health information (ePHI) and establish the national standards. Your concern is maintaining the confidentiality, availability, and integrity of sensitive data. In practice, this includes:

  • Technology
  • Safeguards (Physical & Administrative)
  • Process
  • People
  • Business Associates & Support
  • Auditable Compliance

Network solution experts recognize HIPAA compliant data must be secure, but also needs to be readily available to users and retain integrity across platforms. Using experienced cloud solution providers will bridge the gap between HIPAA requirements, patient administration, and the benefit of technology to treat healthcare clients and facilitate care.

Seek the right technology and implement controls that are both “required and addressed” within HIPAA’s regulations. When it comes to security, you can never be too prepared. Here are some of the measures you’ll want to implement:

  • Data encryption in transit and at rest
  • Firewalls
  • Multi-factor Authentication
  • Cloud Encryption Key Management
  • Audit logs showing access to ePHI
  • Vulnerability scanning, intrusion detection/prevention
  • Hardware and OS patching
  • Security Audits
  • Contingency Planning—regular data backup and disaster recovery plan

The number one mistake organizations make in protected data in a cloud deployment is insufficient encryption, followed by key management. Encryption must be FIPS 140-2 compliant.

4.    Ensuring Data Availability, Reliability, and Integrity
The key to service reliability and uptime is in your data backups and disaster recovery (DR) efforts. Data backup is not the same as disaster recovery—this is a common misconception. Data backup is part of business continuity planning, but requires much more. There’s a gap between how organizations perceive their track records and the reality of their DR capabilities. The “CloudEndure Survey of 2016” notes that 90% of respondents claim they meet their availability, but only 38% meet their goals consistently, and 22% of the organizations surveyed don’t measure service availability at all. Keep in mind that downtime can result from your cloud provider—and this is out of your control. For instance, the AWS outage earlier this year caused a ruckus after many cloud-based programs stopped functioning.

5.    Ability to Convey Auditable Compliance (Transparency)
Investors, customers, and regulators cannot easily discern that your cloud environment is compliant because it’s not as visible as other solutions, like on-premise hosting. You will have to work closely with your cloud provider to identify how to document your technology, policies, and procedures in order to document your efforts and prove auditable compliance.

Putting It All Together
The cloud provides significant advantages, but transitioning into the cloud requires a thorough roadmap with checkpoints for security and compliance along the way. Remember that technology is just the first step in a secure cloud deployment—proper security and compliance also involves the processes that protect your sensitive data and the documentation that proves your compliance efforts. You’ll want to identify resources from IT, security and operations to participate in your cloud deployment process, and choose a cloud provider that’s certified and knowledgeable in the nuances of healthcare cloud deployments.

For more information download the white paper “HOW TO DEPLOY A SECURE, COMPLIANT CLOUD FOR HEALTHCARE.”

About OnRamp

OnRamp is a HITRUST-certified data center services company that specializes in high security and compliant hybrid hosting and is a proud sponsor of Healthcare Scene. Our solutions help organizations meet compliance standards including, HIPAA, PCI, SOX, FISMA and FERPA. As an SSAE 16 SOC 2 Type 2 and SOC 3, PCI-DSS certified, and HIPAA compliant company, OnRamp operates multiple enterprise-class data centers to deploy cloud computing, colocation, and managed services. Visit www.onr.com or call 888.667.2660 to learn more.

Translating Social Determinants of Health Into Clinical Action

Posted on September 25, 2017 I Written By

The following is a guest blog post by Anton Berisha, MD, Senior Director, Clinical Analytics and Innovation, Health Care, LexisNexis Risk Solutions.
The medical community recognizes the importance of social determinants of health (SDOH) – social, economic and environmental conditions in which people are born, grow, live, work and age that impact their health – as significant and direct risk factors for a large number of health care outcomes.

The negative outcomes include stress, mental health and behavioral disorders, alcoholism and substance abuse, to name a few. Negative SDOH worsen a slew of major chronic conditions, from hypertension and Coronary Artery Disease to obesity; they also lead to lower patient engagement and medication adherence while increasing low-intensity ER visits and hospital admissions and readmissions.

In fact, a study shows that medical care determines only 20% of overall health outcomes while social, economic and environmental factors determine about 50% of overall health. The National Quality Forum, Centers for Disease Control and Prevention and World Health Organization have all acknowledged the importance of addressing SDOH in health care.

Not all SDOH are “created equal”

When it comes to SDOH, there is a misconception that all data regarding a person’s lifestyle, environment, situation and behaviors relate to their health. Although there is a myriad of basic demographic data, survey data and other Electronic Health Records (EHR) data available to providers today, much of it has a limited potential for identifying additional health costs and risks.

The key to addressing SDOH is to use current, comprehensive and longitudinal data that can be consistently linked to specific patient populations and provided in a standardized format. One example is attributes derived from public records data such as proximity to relatives, education, income, bankruptcy, addresses and criminal convictions.

Moreover, each SDOH attribute has to be clinically validated against actual healthcare outcomes. Clinically validating attributes is critical to successful predictive analytics because some attributes do not correlate strongly to health outcomes.

For example, while knowing how close an individual’s nearest relative or associate lives to the patient does correlate to health outcomes; knowing how many of those relatives or associates have registered automobiles does not. Even when attributes are clinically validated, different attributes correlate to different outcomes with different accuracy strengths.

Translating SDOH into actionable intelligence

After SDOH have been correlated to healthcare outcomes, providers have two implementation options. One is to use relevant individual SDOH attributes per outcome in clinical and analytic models to better assess and predict risk for patients. Another is to use SDOH as part of risk scores estimating specific healthcare risks; for e.g., to estimate an individual’s total health care risk over the next 12 months based on cost; a 30-day readmission risk; or a patient engagement score.

Risk estimation can be done either in combination with other types of legacy healthcare data, such as claims, prescription and EHR data or with SDOH alone, in the absence of medical claims.

Recently, a client of LexisNexis® Health Care did an independent study to evaluate the impact and usefulness of Socioeconomic Health Score (SEHS) in risk assessment for several key chronic conditions, when no other data are available. Findings proved that the top decile of SEHS captures significantly more members with given conditions than the bottom decile. The study concluded that the difference was important and very helpful in estimating risks in a newly acquired population without legacy healthcare data.

Integrating SDOH into clinical workflows and care recommendations

Validated SDOH can be presented in a form of risk drivers or reason codes directing the clinician toward the most important factors influencing a given negative outcome for each patient: income, education, housing or criminal records.

The risk drivers and reason codes can then be integrated into workflows within the clinician’s IT systems, such as the EHR or care and case management, in the form of an easy-to-understand presentation. It could be a data alert that is customizable to patients, treatments and conditions, helping the provider make score-based decisions with greater accuracy and confidence. At this point, the SDOH information becomes actionable because it has the following characteristics:

  • It is based on hard facts on every individual.
  • It is based on correlation and statistical significance testing of large pools of patients with similar behavior.
  • It provides clear and understandable reason codes driving the negative outcomes.
  • It can be tied to intervention strategies (outlined below) that have demonstrated positive results.

Clinicians empowered with actionable SDOH information can modify their interventions and follow-up strategies accordingly. Based on resources at hand, patients living in negative SDOH could be either properly managed by clinicians themselves or other medical staff, social workers and newly created roles such as health coaches. Sub-populations at risk could benefit from access to community resources to get help with housing (permanent supportive housing for homeless), transportation, education, childcare and employment assistance.

Moreover, SDOH are particularly effective in helping providers develop a population health management strategy fueled by prioritized tactics for preventive care. Tactics can range from promotion of healthy food to free screening services. For patients with chronic diseases (who can typically be managed appropriately when they adhere to therapy and healthy lifestyle choices), SDOH-informed interventions can help keep them under control and potentially reduce severity. For patients recently released from the hospital, aftercare counseling could prevent complications and readmissions.

To sum it up

Socioeconomic data is a vital force for healthcare risk prediction as it provides a view into the otherwise hidden risks that cannot be identified through traditional data sources. When SDOH are clinically validated and correlated to healthcare outcomes, they help providers better understand an individual’s risk level and address it through appropriate intervention strategies.

Create Happier Healthcare Staff in 3 Easy Steps

Posted on September 14, 2017 I Written By

The following is a guest blog post by Chelsea Kimbrough from Stericycle Communication Solutions, as part of the Communication Solutions Series of blog posts. Follow and engage with them on Twitter: @StericycleComms
Chelsea Kimbrough
Creating excellent patient experiences is the focus of nearly every healthcare organization. To do this, providers are increasingly turning to new patient engagement tools and technologies. It’s important to note, however, that patient experience woes cannot be mended with technology alone. The healthcare professionals facilitating communications and care will always play an integral role in patients’ overall satisfaction and loyalty.

Unfortunately, those providing in-person care are often distracted from important patient-facing responsibilities by front office tasks. Thankfully, many modern engagement tools are able to create more seamless operational workflows for healthcare professionals in tandem with enhanced patient experiences. But with the market growing increasingly competitive, it’s important to pick the tools and technologies that best serves both populations.

Outlined below are three steps healthcare organizations can take to create a more enjoyable workplace for their staff and what key capabilities are necessary to ensure the greatest ROI.

  1. Lessen the number of phone calls
    If the phone isn’t demanding attention, healthcare professionals are better able to focus their talent and effort on the patients and people in more immediate need of their expertise. This ability drives better health outcomes, operational efficiencies, and patient experiences.

    Telephone answering solutions and technology help achieve these results. However, it’s important whoever is answering your phones is prepared to handle any question, task, language, or call volume. Unfortunately, many internally-run call answering solutions are unable to swiftly manage fluctuating call volumes. By partnering with a third-party telephone answering service, healthcare organizations can ensure every call is met with exceptional care.

    When searching for a call center solution, healthcare organization should seek:

    • Flexible call answering solutions
    • Multilingual live agent support
    • Control over call flow & scripting
    • Proven experience & expertise
  1. Automate appointment reminders
    Patients crave convenient experiences – and so do healthcare professionals. Automating informational messages to patients, such as appointment reminders, population health notifications, and relevant event announcements, removes part of this communication responsibility from staff, directly enabling them to focus on in-person care.

    It’s important, however, that this particular service is able to integrate with the health systems’ EHR or EMR. This ability enables the health system to target a patient’s contact method of choice when sending automated messages, seamlessly enhancing their experience. And by communicating every interaction with the health system, staff members are kept informed and prepared to meet patients’ needs should they choose to reach out.

    When searching for a messaging solution, healthcare organization should seek:

    • Email, voice, and text messaging capabilities
    • Patient-specific customization
    • Easy message deployment
    • EHR/EMR connectivity
  1. Optimize patient scheduling
    Patients of all ages can benefit from a smoother appointment scheduling processes – and for many patients, online scheduling is the answer. By eliminating the need for a timely phone call, online scheduling better fits into the digitally-driven lives of today’s patients.  And when implemented properly, online scheduling can directly benefit both telephone answering and automated messaging, too.

    Because scheduling an appointment should be a pain-free process, healthcare organizations should simplify it by sending an automated reminder with a unique, secure link to digitally schedule an appointment from their phone, laptop, or other internet connected device. By choosing a tool that automatically communicates this information with the health system’s EHR, patients can call about their appointment and receive consistently accurate information no matter what healthcare employee answers the phone. What’s more, this particular patient engagement tool lessens the appointment scheduling burdening from staff, enabling them to provide better in-person care.

    When searching for an appointment scheduling solution, healthcare organization should seek:

    • Intuitive, user-friendly tools
    • Accurate appointment availability
    • Easy message deployment
    • EHR/EMR connectivity

When the right communication tools and technologies are implemented, entire healthcare organizations thrive. With the above three strategies and the technologies associated with them in place, healthcare professionals can better focus on patients with the reassurance their phones are answered by trained professionals, important messages are promptly delivered, and schedules are being filled.

Healthcare organizations that implement communication tools and technologies that benefit both patients and staff are better positioned to have happier, more satisfied team members. And with a happier staff tending to patients’ healthcare needs, organizations can better safeguard patient loyalty for years to come.

The Communication Solutions Series of blog posts is sponsored by Stericycle Communication Solutions, a leading provider of high quality telephone answering, appointment scheduling, and automated communication services. Stericycle Communication Solutions combines a human touch with innovative technology to deliver best-in-class communication services. Connect with Stericycle Communication Solutions on social media: @StericycleComms

Better Tech is Here for Healthcare

Posted on September 13, 2017 I Written By

The following is a guest blog by Brandt Welker, CTO at MedicaSoft. This is the second blog in a three-part sponsored blog post series focused on new HIT for integration. Each month, a different MedicaSoft expert will share insights on new and innovative technology and its applications in healthcare.

What are some of the common complaints doctors and nurses have about their EHRs?

“I have to click too much.” “Information is buried.” “It doesn’t follow my workflow.” “It’s slow.”

“I feel like a data entry clerk.” “*insert your favorite gripe here*” There is no shortage of commentary on the issues irking clinicians when it comes to technology. What there is a shortage of are ideas to fix it.

Better technology is out there serving other industries … and it can be applied in healthcare. Technology should ease administrative loads and put clinicians back in front of patients! I’ve talked about some of this previously and how we keep clinicians involved in our design process. When it came to building an entirely new EHR, the driving force behind our team researching and adopting new technologies was to imagine a clean slate.

Most of our team came from backgrounds with the Department of Veterans’ Affairs (VA’s) world of VistA. We learned a lot about legacy systems over the years – both beloved and maligned – and asked ourselves what a system would look like if it was unencumbered by the past. How would that system look? What could that system be? What technology choices should we make to simplify things? How could it play nicely with other systems and encourage true interoperability? How could it support users’ clinical workflow?

From the beginning, we decided that the most important thing was to get the platform right. Build the platform and build it right and things will work together. Build it to play nicely with other technology and interoperate. Make it fast. Make it easy. Make it open. Make it affordable. All of these needs were a part of our system “wish list.”

So, how’d we do it? We researched technology working in other fields and also elected to use HL7® FHIR® to its fullest extent. By now, you’ve probably heard a lot about the HL7® FHIR® standard. Many companies are using HL7® FHIR® to build APIs that are doing amazing things across the industry. We decided to use the HL7® FHIR® document data model as the basis of our platform – it simplifies implementation without sacrificing information integrity. We coupled it with a very powerful database and search engine – Couchbase & Elasticsearch. These are two high-performance tools used across industries. When you need a whole lot of data to move fast, you use Couchbase and Elasticsearch.

Couchbase is our NoSQL database. Couchbase is open-source and optimized for interactive applications. It provides low-latency data management (read: lots of data very quickly) for large-scale applications (like an EHR!). It lets us store records as documents and it’s really good at data replication. You might recognize Couchbase  — many other industry giants such as ebay, LinkedIn, and Verizon use it. It is an open-source database optimized for interactive applications. We selected Elasticsearch as our search engine. Some of your favorite sites and services use Elasticsearch – Netflix, Facebook, LinkedIn, and Wal-Mart, to name a few.

On top of Couchbase and Elasticsearch are FHIR APIs. These interactions are managed by type. We also use a Parser/Assembler Service that lets us combine, rearrange, and augment documents. Data is placed in the proper JSON format to be sent through the FHIR API into Couchbase. Our Community Health Record sits on top of this and everything described here is a part of our open platform – the one we built from scratch and architected to be interoperable and easy. Pretty neat, huh?

Once you have the platform, you can build all kinds of things to sit on top of it. The sky is the limit! In our case, we have a Personal Health Record and an Electronic Health Record, but we built it this way so you can use a wide range of technologies with the platform – things like Alerts or Analytics or Population Health or Third Party Applications, even custom built items that folks may have developed in-house will work with the platform. Essentially, using the platform means we can integrate with whatever you already have in place. Maybe you have an EHR with some issues, but you don’t have the time or budget allotted for another huge EHR implementation. No problem – we can help you view your data with a modern interface – without having to buy a whole other EHR. Revolutionary!

There are several other technology choices we made along the way, too – Node.js, NGINX, Angular.js are a few more. Angular.js allows us to be speedy in our development process. We can develop and build features quickly and get changes in front of clinicians for their feedback, which results in less time between product builds and releases. It means folks don’t have to wait months and months for changes they want. Angular is also web-based, which means user interfaces are modern and just like the interfaces everybody uses in their day-to-day lives. Angular.js was created by Google and there are many large companies you’ll recognize who use it to develop – PayPal, Netflix, LEGO, YouTube, to name a few.

I believe healthcare is lagging in adopting new technologies and there are a lot of excuses around why user interfaces in healthcare are generally horrible – they range from the software being written before Web 2.0 to users accepting that it is how it is and finding a way to work around their technology. The latter is probably the saddest thing I see happening in hospitals and clinics. Tech is there to make work easier, not more complicated.

There was a great quote from Dale Sanders, Executive Vice President of Product Development at Health Catalyst in MedCity News last week:

“Every C-level in healthcare has to be a bit of a technologist right now,” he said. “They need to understand this world. If you’re not aware of technology, it puts you … at a strategic disadvantage.”

I can’t emphasize how true this statement is. If you’re not paying attention to where technology is going, you’re not paying attention to where healthcare is going and you’re going to get left behind.

About Brandt Welker
Brandt is a HIT architecture and software expert. He calls Reading, Pennsylvania home. He has architected software systems and managed large IT and innovations programs at the U.S. Department of Veterans Affairs (VA) and the National Aeronautics and Space Administration (NASA). He’s also trained astronauts at the Neutral Buoyancy Lab. He’s currently the Chief Technology Officer at MedicaSoft. Brandt can be found on LinkedIn.

About MedicaSoft
MedicaSoft designs, develops, delivers, and maintains EHR, PHR, and UHR software solutions and HISP services for healthcare providers and patients around the world. For more information, visit www.medicasoft.us or connect with us on Twitter @MedicaSoftLLC, Facebook, or LinkedIn.

Business Associates are NOT Responsible for Clients’ HIPAA Compliance, BUT They Still Might Be At-Risk

Posted on August 25, 2017 I Written By

The following is a guest blog post by Mike Semel from Semel Consulting.

“Am I responsible for my client’s HIPAA compliance?”

“What if I tell my client to fix their compliance gaps, and they don’t? Am I liable?”

“I told a client to replace the free cable Internet router with a real firewall to protect his medical practice, but the doctor just won’t spend the money. Can I get in trouble?”

“We are a cloud service provider. Can we be blamed for what our clients do when using our platform?”

 “I went to a conference and a speaker said that Business Associates were going to be held responsible for their clients’ compliance. Is this true???”

I hear questions like these all the time from HIPAA Business Associates.

The answers are No, No, No, No, and No.

“A business associate is not liable, or required to monitor the activities of covered entities under HIPAA, but a BA has similar responsibilities as a covered entity with respect to any of its downstream subcontractors that are also BA’s,” said Deven McGraw, Deputy Director for Health Information Privacy, US Department of Health and Human Services Office for Civil Rights (OCR), Acting Chief Privacy Officer for the Office of the National Coordinator for Health Information Technology. on August 17, 2017.

So, while you aren’t responsible for your clients’ HIPAA compliance, what they do (or don’t do) still might cost you a lot, if you aren’t careful.

In my book, How to Avoid HIPAA Headaches, there are stories about HIPAA Covered Entities that suffered when their Business Associates failed to protect PHI. North Memorial Health Care paid $ 1.55 million in HIPAA penalties based on an investigation into the loss of an unencrypted laptop by one of its Business Associates, Accretive Health.

Cottage Health, a California healthcare provider, is being sued by its insurance company to get $ 4.1 million back from a settlement after Cottage Health’s IT vendor, a Business Associate,  accidently published patient records to the Internet.

Your marketing activities; what you and your salespeople say to prospects and clients; and your written Terms & Conditions; may all create liability and financial risks for you. These must be avoided.

Semel Consulting works with a lot of Business Associates.

Many are IT companies, because I spent over 30 years owning my own IT companies. I’ve been the Chief Information Officer for a hospital and a K-12 school district, and the Chief Operating Officer for a cloud backup company. I now lead a consulting company that helps clients address their risks related to regulatory compliance, cyber security, and disaster preparedness. I speak at conferences, do webinars, and work with IT companies that refer their clients to us.

I look at the world through risk glasses. What risks do our clients have? How can I eliminate them, minimize them, or share them? When we work with our healthcare and technology industry clients, we help you identify your risks, and quantify them, so you know what resources you should reasonably allocate to protect your finances and reputation.

Under HIPAA, compliance responsibility runs one way – downhill.

Imagine a patient on top of a hill. Their doctor is below the patient. You are the doctor’s IT support company, below the doctor, and any vendors or subcontractors you work with are below you.

The doctor commits to the patient that he or she will secure the patient’s Protected Health Information (PHI) in all forms – verbal, written, or electronic. This is explained in the Notice of Privacy Practices (NPP) that the doctor gives to patients.

Under HIPAA, the doctor is allowed to hire vendors to help them do things they don’t want to do for themselves. Vendors can provide a wide variety of services, like IT support; paper shredding; consulting; malpractice defense; accounting; etc. The patient is not required to approve Business Associates, and does not have to know that outsourcing is happening. This flexibility is also explained in the patient’s Notice of Privacy Practices.

As a vendor that comes in contact with PHI, or the systems that house it, you are a HIPAA Business Associate. This requires you to sign Business Associate Agreements and, since 2013, when the HIPAA Omnibus Final Rule went into effect, it also means that you must implement a complete HIPAA compliance program and be liable for any breaches you cause.

IT companies may decide to resell cloud services, online backup solutions, or store servers in a secure data center. Since the HIPAA Omnibus Final Rule went into effect, a Business Associate’s vendors (known as subcontractors) must also sign Business Associate Agreements with their customers, and implement complete HIPAA compliance programs.

Because compliance responsibility runs downhill, the doctor is responsible to the patient that his Business Associates will protect the patient’s confidential information. The Business Associates assures the doctor that they, and their subcontractors, will protect the patient’s confidential information. Subcontractors must commit to Business Associates that they will protect the information. A series of two-party agreements are required down the line from the doctor to the subcontractors.

It doesn’t work the other way. Subcontractors are not responsible for Business Associates, and Business Associates are not responsible for Covered Entities, like doctors.

HIPAA compliance responsibility, and legal and financial liability, are different.

A HIPAA Covered Entity is responsible for selecting compliant vendors. Business Associates are responsible for selecting compliant subcontractors. Subcontractors must work with compliant subcontractors.

Because Covered Entities are not liable for their Business Associates, and Business Associates are not liable for their Subcontractors, they are not required to monitor their activities. But, you still need to be sure your vendors aren’t creating risks. The Office for Civil Rights (OCR) says that:

… if a covered entity finds out about a material breach or violation of the contract by the business associate, it must take reasonable steps to cure the breach or end the violation, and, if unsuccessful, terminate the contract with the business associate. If termination is not feasible (e.g., where there are no other viable business alternatives for the covered entity), the covered entity must report the problem to the Department of Health and Human Services Office for Civil Rights. See 45 CFR 164.504(e)(1).

With respect to business associates, a covered entity is considered to be out of compliance with the Privacy Rule if it fails to take the steps described above. If a covered entity is out of compliance with the Privacy Rule because of its failure to take these steps, further disclosures of protected health information to the business associate are not permitted.

In its Cloud Service Provider (CSP) HIPAA Guidance released in 2016, the OCR said:

A covered entity (or business associate) that engages a CSP should understand the cloud computing environment or solution offered by a particular CSP so that the covered entity (or business associate) can appropriately conduct its own risk analysis and establish risk management policies, as well as enter into appropriate BAAs.  See 45 CFR §§ 164.308(a)(1)(ii)(A); 164.308(a)(1)(ii)(B); and 164.502. 

Both covered entities and business associates must conduct risk analyses to identify and assess potential threats and vulnerabilities to the confidentiality, integrity, and availability of all ePHI they create, receive, maintain, or transmit.  For example, while a covered entity or business associate may use cloud-based services of any configuration (public, hybrid, private, etc.),[3] provided it enters into a BAA with the CSP, the type of cloud configuration to be used may affect the risk analysis and risk management plans of all parties and the resultant provisions of the BAA.

How can a Business Associate be affected by a client’s compliance failure?  Here are some scenario’s.

(FYI, I am not a lawyer and this is not legal advice. These ideas came out of meetings I had with my attorney to review our contracts and our marketing. Talk to your lawyer to make sure you are protected!)

  1. IT companies should never tell your client, “We’ll be responsible for your IT so you can focus on your medical practice.”

Sound familiar? This is what many IT Managed Service Providers tell their prospects and clients.

Then the client has a data breach because they were too cheap to buy a firewall, they refused to let you implement secure passwords because it would inconvenience their staff, or they lost an unencrypted thumb drive even though you had set up a secure file sharing platform.

Someone files a HIPAA complaint, the OCR conducts an investigation, and your client pays a big fine. Then they sue you, saying you told them IT was your responsibility. Maybe they misunderstood what you included in your Managed Services. Maybe you did not clearly explain what responsibility you were accepting, and what IT responsibility was still theirs. Either way, you could spend a lot on legal fees, and even lose a lawsuit if a jury believes you made the client believe you were taking over their compliance responsibility.

  1. You must clearly identify what is, and what is not, included in your services.

Your client pays you a monthly fee for your services. Then they have a breach. They may expect that all the tasks you perform, and the many hours of extra labor you incur, are included in their monthly fee. They get mad when you say you will be charging them for additional services, even though they have just hired a lawyer at $ 500 per hour to advise them. Without written guidelines, you may not be able to get paid.

  1. You must be sure you get paid if your client drags you into something that is not your fault.

Imagine you were the IT company that set up an e-mail server for a recent presidential candidate. As unlikely as this may sound, this becomes a political issue. You just did what the client requested, but now you must hire attorneys to advise you. You must hire a public relations firm to deal with the media inquiries and protect your name in the marketplace. You must send your techs and engineers – your major source of a lot of income – to Washington for days to testify in front of Congress, after they spent more unbillable time preparing their testimony.

Who pays? How do you keep from losing your client? How do you protect your reputation?

HOW TO PROTECT YOUR FINANCES AND YOUR REPUTATION

  • Make sure you and your salespeople are careful to not overpromise your services. Make sure you and your sales team tell your prospects and clients that they are always ultimately responsible for their own security and compliance.
  • Make sure your contracts and Terms and Conditions properly protect you by identifying what services are/aren’t covered, and when you can bill for additional services. Don’t forget to include your management time when sending bills. Use a competent lawyer familiar with your needs to write your agreements and advise you on any agreements presented to you by others.
  • State in your Terms & Conditions that you will be responsible for your own company’s compliance (you are anyway) but that you are not responsible for your clients’ compliance.
  • Include terms that require your client to pay for ALL costs related to a compliance violation, government action, investigation, lawsuit, or other activity brought against them, that requires your involvement. Use a competent lawyer familiar with your needs to write your agreements and advise you on any agreements presented to you by others.
  • My attorney said we should include “change in government regulations” in our Force Majeure clause to allow us to modify our contract or our pricing before a contract expires. The 2013 HIPAA Omnibus Rule created a lot of expensive responsibilities for Business Associates. You don’t want to get stuck in an existing contract or price model if your costs suddenly increase because of a new law or rule.
  • Get good Professional Liability or Errors & Omissions insurance to protect you if you make a mistake, are sued, or dragged into a client’s investigation. Make sure you understand the terms of the policy and how it covers you. Make sure it includes legal representation. Ask for a custom policy if you need special coverage.
  • Make a negative a positive by promoting that you offer the specialized services clients will need in case they are ever audited, investigated, or sued.

If you do this right, you will protect your business and leverage compliance to increase your profits. When you focus on compliance, you can get clients willing to pay higher prices because you understand their compliance requirements. I know. I have generated millions of dollars in revenue using compliance as a differentiator.

About Mike Semel

Mike Semel is a noted thought leader, speaker, blogger, and best-selling author. He is the President and Chief Security Officer of Semel Consulting, focused on HIPAA (and other regulatory) compliance; cyber security; and Business Continuity planning. Mike is a Certified Business Continuity Professional through the Disaster Recovery Institute, a Certified HIPAA Professional, Certified Security Compliance Specialist, and Certified Health IT Specialist. He has owned or managed technology companies for over 30 years; served as Chief Information Officer (CIO) for a hospital and a K-12 school district; and managed operations at an online backup company.