Archive for December, 2009

HIEs and Security, and the Impact of Breach

Tuesday, December 15th, 2009

- By Jesse Erdmann

Once again there is news of another data breach (article here) in the health industry. This time around, a Connecticut company by the name of Health Net reported the loss of a disc containing health information, social security numbers and bank account information of 446,000 patients, as well as potentially another two laptops.

This news comes on the back of a November survey and report  (article here) by HIMSS, paid for by Symantec, that only 67% of healthcare encrypts data transmissions, and less than half encrypt the data stored on disk. Obviously, if Health Net had encrypted their data properly, the loss of the disc and laptops would not be as significant a loss (due to the difficulty, if not impossibility, of the data being accessed by the thieves). Another important thing to note about the survey is that Symantec is one of the largest vendors of security software, thus the numbers reported may need to be taken with a grain of salt.

However, there are some things to take away from this breach and HIMSS report. One such takeaway is that while there is a lot of additional complexity in securing health data (that needs to be handled by those that understand the industry), there are well-established resources that can cover the basics for health organizations. There are also accreditations, like the Certified Information Systems Security Professional, CISSP, which can be used to vet potential employees or benchmark training for employees in key security positions.

A general rule of thumb for health organizations would be to hire a person to manage organization-wide security issues. Key deliverables from such a person would be to write and deliver a security policy for the organization, purchase or recommend non-domain specific security software and be responsible for the training of all employees that handle sensitive data. Special emphasis should also be placed on the training of software engineers and system administrators. With proper policies, training, and oversight, health organizations can protect themselves and their data from breach or loss.

Tags: , , , ,
Posted in Uncategorized | Comments Off

Quality Reporting, Stimulus Dollars and NHIN

Tuesday, December 15th, 2009

-By John Fraser

Did you know you’ll need to report certain quality measures to Medicare in order to collect stimulus dollars starting in January 2011? Do you know how to report quality measures, or what types of quality reporting will be required?

While the final regulations have yet to be released, they will deal with the type of information that needs to be reported, how it will be reported and on what frequency. We expect the quality regulations will be based on the current Physician Quality Reporting Initiative, or PQRI system.

In 2006 a new federal law established what is now known as the Physician Quality Reporting Initiative, or PQRI. PQRI reimburses most types of physicians, practitioners and therapists up to 2% of Medicare billings if they report on PQRI’s 200 quality measures, which change annually. Each measure is detailed in the regulations (for example the 200+ measures in the 2010 PQRI program) and each measure include a reporting frequency requirement. Providers currently have several options for getting this information to CMS — these options include reporting directly to CMS or using a CMS certified PQRI registry.

While the final rules for stimulus-required reporting have not been released, CMS has publically stated an interest in using NHIN, the Nationwide Health Information Network, for quality reporting purposes. We therefore expect some type of NHIN reporting system to be developed in time for the 2011 stimulus-required reporting deadlines.

As part of the stimulus bill, providers will be required to report quality (PQRI) information to CMS in order to collect stimulus dollars. This requirement could mean that providers would be encouraged to use NHIN, with current submission mechanisms supported (adding an NHIN option to the mix). This will mean that providers who have access to NHIN will have a new, streamlined option for submission of quality measures.

For example, health information exchanges (HIE) that install an NHIN connection could add quality reporting capabilities as a core service for their HIE. This NHIN-based reporting would drive better patient care, as more providers collect and submit quality data, while modifying care to improve quality metrics. EMR vendors who add NHIN quality reporting will also be able to more easily report to CMS.

Overall, NHIN quality reporting to CMS offers multiple benefits, including improved workflows for physicians, more comprehensive quality reporting and compliance with stimulus requirements. By utilizing NHIN for quality reporting, providers will comply with, and therefore collect, all of the new stimulus dollars due them.

Tags: , , , , ,
Posted in Uncategorized | Comments Off

MEDNET’s Seonho Kim appointed to lead CMS NHIN Medicaid Eligibility Project

Friday, December 11th, 2009

Seonho Kim, Chief Architect of MEDNET, has been appointed to lead the NHIN Team to address the Centers for Medicare and Medicaid Services (CMS)’s requests to enable Medicaid Eligibility Verification through the NHIN.

The goal of this team effort is to develop new NHIN specifications for CMS MITA (Medicaid Information Technology Architecture) Medicaid Eligibility Verification. As team lead, Seonho Kim will work with other NHIN Specification Factory team members and drive the development of a technical solution to address CMS’s request.

Tags: , , , , ,
Posted in Uncategorized | Comments Off