Does your healthcare practice store your patient data aka electronic protected health information (ePHI) in the cloud or at a third party data center? If so, then you have some work to do. As a covered entity, you need to sign a business associate agreement( BAA) with your vendor if you haven’t already. If the vendor refuses to sign one, then find another vendor who does.
Sept 23, 2013 is fast approaching. That’s the date by which your business associates and their sub-contractors have to be in compliance with the HIPAA final “Omnibus” Rule. The final rule released earlier this year, not only expands the definition of a “business associate”( BA) under HIPAA, but also holds BAs and their subcontractors responsible for being in compliance with HIPAA and subject to any criminal and civil liability for violating certain provisions of HIPAA.
The expanded definition of a BA now includes:
Under this new rule the number of BA that your healthcare practice deals with might have changed. Here’s what you need to do:
- Persons who "create, receive, maintain or transmit" ePHI.
- Persons who "maintain" ePHI on behalf of a covered entity, even if the person does not actually view the ePHI. For example, most document storage companies and cloud computing providers that maintain ePHI on behalf of a covered entity are business associates.
- Subcontractors - persons who perform functions for or provide services to a business associate are also business associates if they access or store ePHI.
- Make a list of all third party vendors that you work with, that fall under the revised definition of a BA. This list should encompass IT vendors like data storage companies, IT service providers that maintain your systems, cloud service vendors, billing companies, transcriptionists, etc.
- Interview them and question them regarding their HIPAA compliance efforts. Ask them about their security measures and adoption of best practices to protect the ePHI.
- Ask them if they ever conducted a business technology risk assessment. Any vendor who claims to be HIPAA compliant will be proud to tell you about their security measures and should be able to address all your concerns effectively.
- Negotiate and execute an effective BAA that spells out the BA’s legal responsibilities and liabilities in the event of a data breach.
A signed BAA ensures that the BA understands their legal responsibilities to protect the ePHI and have implemented reasonable and appropriate measures to ensure the security and privacy of ePHI and comply with the HIPAA Security Rule.
As a covered entity, ultimately it is your responsibility to protect the ePHI of your patients. Your reputation and financial well-being depend on it. Having a clearly written and executed BAA in place, can serve to mitigate the financial damage to your practice in the event of a third party data breach.
Does your healthcare practice conduct patient satisfaction surveys? Do you ask your patients these follow-up questions:
- How was your experience at our facility?
- How long did you have to wait in the waiting room before you were taken in?
- How long did you wait in the exam room before the doctor saw you?
- Was the doctor engaging? Did he answer all your questions?
- Did you have all the relevant information you needed regarding your health before you left our facility?
- Did you encounter any issues at our facility?
- How can we improve your experience at our facility?
- Would you recommend your doctor and our facility to others?
All other businesses except healthcare, focus on the customer experience. They conduct periodic customer satisfaction surveys to find out how their clients are experiencing their service. They try to do everything they can to make their clients happy and hope that they get a good recommendation for their work. Even small and medium sized business use readily available and affordable technology to solicit customer feedback and identify areas of improvement in their business. So why is this type of customer focus an exception rather than a rule in the healthcare business? Why does every healthcare practice not have an Patient Relationship Officer (PRO), an individual accountable for patient (Client) satisfaction?
Healthcare is after all a service business. One would expect that the patient satisfaction would be the focus of any healthcare practice. Making it convenient for the patient to see their doctor, understanding patient issues, and delivering quality care would be the norm. It sure doesn’t feel that way. Patients experience long wait times, rude/ incompetent staff during their visits. They get talked down to and come away with a feeling that they have been done a favor by the doctor and his staff when in fact the patients are the ones who are paying for the services. But if not for patients, there would be no need for doctors.
Somehow it is very convenient for administrators and staff of a healthcare practice to blame the “system”, shrug their heads and say that its always been done that way. It’s as if this “system” is a nebulous amorphous entity that can’t really change, when in fact the “system” is made up of living breathing people, who have created policies and procedures that dictate how their healthcare practice operates.
Due to the shortage of primary care providers, the demand for their services is so high that many practices are not accepting new patients. Finding new patients is not a concern for them. The patient has become a replaceable commodity available in plenty. After all, where is the patient going to go? To another healthcare practice where the system works in the probably the same way? In any business when the demand for the product or service far exceeds the supply, there is no real incentive for the provider to focus on customer satisfaction.
Yet a focus on the patient satisfaction is precisely what needs to happen to deliver quality care and make this healthcare “system” work for the benefit of those who need it, when they need it. Great leaders within organizations do not waste time blaming the system. They go about changing it for the better. Great service organizations know that it takes effort and an unrelenting customer focus to deliver extraordinary service. I am sure that almost all doctors care about their patients and want to do the best for their patients. They are intimately aware of the inefficiencies in their practices and even have innovative ideas for improving the quality of patient care. Customer satisfaction surveys are a great way to get patient feedback, collect data, measure performance metrics, identify areas of improvement and implement measures that will improve workflow efficiency and ultimately quality of patient care. It also arms those in the organization that want to improve the “system”, with undeniable proof of what is working and what needs to be changed.
There is a desperate need for individuals to become more engaged in their health, take control of their bodies and manage chronic diseases they may have. The cost of treating emergencies due to chronic diseases like diabetes, COPD, hypertension etc., is driving US healthcare costs through the roof. Managing these chronic illnesses via regular monitoring and timely intervention can prevent patients from ending up in emergency rooms thereby reducing the bulk of the healthcare costs.
Mobile health applications (mhealth apps) and smartphones that help track health indicators like blood pressure, weight or diet hold promise in that regard. There is no shortage of mhealth apps in the iPhone/Android stores and that number is growing at an exponential rate. But the adoption rate of mhealth apps is not increasing. In fact it has been stagnant for the last two years. Pew Research data shows that in the case of people over 65 years old, the smart phone adoption is barely 23% and the adoption of mhealth apps to track health data is barely 1%.
What would help increase the adoption rate of mhealth apps among boomers and elder people?
I think that physician embracement of mhealth apps is crucial for the adoption and continued use of mhealth apps by patients. Surely the usability of smartphones needs to be improved for seniors, with easy to read font sizes and apps that are less cluttered, but the more important piece of the puzzle is closing the feedback loop between the doctor and the patient. For an elder person or any patient for that matter, the importance of the mobile app/device is in its usefulness, not the novelty. The data recorded by the mobile app needs to be actionable. By that I mean the doctor should be able to evaluate the data and provide feedback to the patient advising him/her on the next steps.
Studies have shown that most patients, especially baby boomers would download a health app if recommended by their doctor. However the continued usage of the health app would depend on the ease of use of the app and communication with their doctor. Continued encouragement of the use of the mhealth app by the doctor, is critical in increasing patient engagement with the mhealth app. The alignment of payer-provider incentives will help in motivating physicians to adopt mobile health tools. The change from the fee for service model to an outcome based payment model will encourage the use of mhealth technologies to monitor patients with chronic disease and prevent emergency room visits.
For a doctor to use, recommend and rely on a mobile health app data to make decisions, the app data should fit in to the workflow, be credible, actionable and add value to the decision making process. Maybe it would be better if the mobile app was customizable in such a way that the doctor could decide which data he/she wanted to see and with what frequency. Patients, especially the elder population, feel greatly comforted knowing that their doctor cares for them and is looking out for them. Regular doctor-patient communication increases patient engagement, making them motivated to take control over their health and adhere to the health regimen that their doctor has prescribed for them.
Thinking of upgrading the computers in your healthcare practice? After all, the 8 year old computer, with the faithful Windows XP has served your needs for a long time and is on its last legs. Besides Microsoft is going to stop supporting Windows XP soon ,which means that the security updates/patches you receive every Tuesday will stop, leaving your system vulnerable to the latest viruses. So which new Windows PC should you buy?( I am assuming that you plan to continue with the Windows platform since your practice is already using it.)
First decision: Windows 7 or Windows 8?
It’s a personal decision. Windows 7 has the familiar user interface with the “Start” button. Windows 8 has the Metro interface with tiles. Many users have had difficulty adjusting to this new interface. Your staff might need time to get used to this and this might affect your productivity in the short term. You need to be prepared for it. I would personally go for Windows 7 at this time, if all you need is a desktop or laptop operating system. But if you are looking to access any confidential data via tablets, I would consider Windows 8 OS and the Windows Pro tablet. This will provide you a seamless experience across both desk top and mobile platforms.
Second Decision: Which edition?
From a data security and HIPAA compliance perspective, if your PC , laptop or tablet stores any electronic protected health information (ePHI), the data needs to be encrypted. Windows 7 Ultimate /Enterprise editions and the Window 8 Professional edition have features like “BitLocker drive encryption”, that encrypts the entire drive or files on the hard drive and “BitLocker To Go” that encrypts data stored on the USB flash drive. Enabling these two features protects your ePHI from unauthorized access and creates a “safe harbor” in the event of a data breach from a compliance standpoint.
Additional features present in these editions include AppLocker and DirectAccess which provide IT administrators greater control and oversight thereby increasing data security and reducing the risk of a data breach.
As a Medical/dental practice, you rely on a host of vendors for your business needs. On any given day, your practice interacts with a number of outside businesses such as laboratories, medical transcriptionists, coding, billing, marketing companies and others. Patient data flows back and forth between your office and these companies. Under HIPAA, any vendor who creates, stores, maintains or transmits electronic protected health information (ePHI) on behalf of a covered entity(CE), like a dental or medical practice, is considered a business associate (BA) of the CE. As per the final HIPAA Omnibus Rule, a BA is also liable for any data breach. All BAs and their subcontractors need to commit to achieving compliance by Sept 23rd, 2013. However, it is the responsibility of the CEs to ensure that their BA’s understand their compliance responsibilities and are aware of the liabilities in the event of a data loss.
It is critical for all CEs to address the following issues with their vendors who come in contact with ePHI. Awareness of the HIPAA Security Rule:
Make sure that your BAs understand their responsibility under HIPAA to ensure the security and privacy of your ePHI. Make them aware of their liabilities and penalties for failing to protect your data. Administrative, Physical and Technical Safeguards in place:
Ask your BA for a copy of their Information Security Management Program. This document should explain in detail the security measures in place at the vendor site. This should encompass physical security of their information systems, technology, as well as written policies and procedures in place to safeguard your data Risk Analysis:
Your BA must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI in their possession, in accordance with HIPAA Security Rule §164.308(a)(1)(ii)(a). You should review the copy of their Risk Analysis Report if possible or at the very least get it in writing that a thorough risk analysis was conducted. Contingency plan:
You need to ensure that your data is safe with your BA in case of a disaster at their location. Suppose their server crashes or they have a fire. Is your data safe? Can they recover it completely and accurately? How soon can they recover it? Discuss their data backup plan, disaster recovery plan and confirm that the BA that your data is properly protected Workforce training:
All BA employees need to be trained in HIPAA compliant policies and procedures. Your BA needs to show evidence of this training. Business Associate Agreement (BAA):
Execute a written BAA with each of your business associate covering all aspects of ePHI security. A sample BAA can be found here
The time covered entities to discuss these issues with their business associates is right now! Studies show that most data breaches occur outside the medical/dental office when data is in the hands of a business associate or a subcontractor. As a covered entity you need to do your due diligence and ensure that your patient data is safe with your business associates.
Avoiding these common misconceptions regarding risk analysis will protect your patient data and your organization.
Risk Analysis is only an IT risk analysis: A thorough Risk Analysis (RA) examines the threats and vulnerabilities to the confidentiality, integrity, and availability of the electronic protected health information (EPHI), held by an organization. It looks at EPHI stored in computer systems (data at rest) and the EPHI flowing in and out of a corporate network (data in motion). RA seeks to determine the level of risk to the data, taking in to consideration the likelihood of occurrence of potential threats and their adverse impact on the business. The combination of high probability of threat occurrence and significant adverse impact leads to higher degree of risk.
RA takes examines the administrative, physical and technical safeguards that the organization has in place to ensure the security of EPHI. It covers people, policies, processes and technology in place and helps healthcare organizations identify and address gaps in their EPHI security.
Risk Analysis is a one-time event. Organizations change over time. Technology is constantly updated, people leave, new employees join etc. RA is needed to be conducted /reviewed on a regular basis, preferably annually, and certainly when major changes occur within an organization. Possible changes include updating security measures, implementing new policies and completion of additional security training for staff.
Risk Analysis is the responsibility of the IT department alone. RA should involve the IT personnel as well as senior management. One person, preferably in senior management, should be named the Chief Security Officer and be held accountable for all EPHI security and compliance activities
Risk Analysis is optional. RA is a required implementation specification under the Security Management Standard of the HIPAA security rule. It is also a Core Measure under the Meaningful Use attestation process.
Regardless of whether it is required by law or not, conducting a through risk analysis lays a strong foundation for the data security of any business.
If patients are the heart of your dental or medical practice, then patient data is the blood running through it. Do you know where this data goes while you sleep at night?
On any given day, a dental or a healthcare practice interacts with a number of outside businesses such as blood work /dental laboratories, medical transcriptionists, coding and billing companies, marketing, legal and others. Patient data flows back and forth from these business associates to the dental or medical office. It is critical to know that your patient data is secure not only inside your own practice but also with your business associates.
Studies show that data breaches often occur outside a dental or medical office. It could be a lost or stolen laptop from a third party contractor doing your medical coding/ transcription or someone hacking in to their computer system or even worse one of their employees intentionally stealing your patient data. Medical identity theft is the fastest growing identity theft in the US with over 300,000 people falling victim to it every year. The consequences of a data breach can be disastrous for your patients and your practice.
Regardless of how the data is lost, your dental/medical office (being a covered entity under HIPAA) is responsible and liable for the data breach. You can mitigate the risk by having a signed Business Associate Agreement (BAA) with all your third party business partners who receive, create, maintain or transmit your patient data. The signed BAA demonstrates that the business associate has implemented appropriate administrative, physical and technical safeguards to secure electronic protected health information (EPHI),as required under the HIPAA security rule.
Knowing that your patient data is secure inside as well as outside your office will give you the peace of mind to sleep well at night.
For a dental or healthcare practice, time is money. Appointment cancellation or no-shows seriously affect the practice bottom line. Studies have shown that the average percentage of no-shows and/or cancellations is between 18% to 22% for a dental practice and 5 % to 7% for a medical office. For some offices it is even higher than that. Losses to the practice bottom line can easily run over $100,000 per year.
Dental and medical offices try a variety of methods to reduce to these loses such as overbooking, charging cancellation fees, automated reminder systems etc. Overbooking is definitely not a good idea as having two or more patients show up at the same time can result in longer wait times for others and nobody likes to be kept waiting.
Automated reminder systems (email, text, phone) definitely work and should be implemented. These systems have shown to reduce the percentage of no-shows by 20 -25%. They can be set up to automatically send email reminders requesting appointment confirmation through a secure internet connection. Automated phone calls can also remind the patients to confirm their appointments with your office.
Your office needs to use different modes of communication to get in touch with your patients. In this present day and age, many people respond faster to email/text rather than phone. I can tell you from my own experience with my provider. I get an email reminder a few days prior to my appointment. The email provides a link to a secure webpage where I can confirm or cancel my appointment. It also gives me the option to add the appointment to my calendar and even provides directions to the office (which new patients will appreciate). There are a number of automated reminder solutions available that are affordable even for solo or small group practices and be set up very quickly. There is no special hardware needed and the software can usually be downloaded directly over the internet.
Relying just on the phone is not a good practice, nor is an efficient way to use your staff’s time. On some really busy days your staff may not find the time to make appointment reminder calls. In most cases it is cheaper to use automated system than have one of your staff make calls. Their time is valuable. Use it wisely. Get in touch with the patients a week before their appointment. This gives them a chance to reschedule the appointment if needed and more importantly gives your office time to fill that slot with another patient, in case of a cancellation.
Despite all the above methods some patients are chronic no-shows or late comers. You need to weed the chronic no-shows out of your practice. Have a practice policy that clearly states that late comers will lose their appointment slot and will have to wait for the next available one. Display this policy along with the cancellation fee policy at your front desk and on your website.
I could sense the level of frustration in the doctor’s voice. She was getting calls from other doctors and patients with the same questions. This was taking up her time from seeing patients, reducing her productivity and making her frustrated. I have seen this problem manifest itself in different business, not just in healthcare. Luckily, there is a simple fix for this.
The problem really relates to the saying “Old habits die hard”. Most of us are so used to calling someone as our first action when we need something. It is just ingrained in our mindset. The inverse of that is even worse. We tend to pick up the phone and answer the same questions over and over again, interrupting our workflow and productivity.
Here are a few simple steps you can implement in your practice today to stop this inefficient phone call/phone tag cycle and increase productivity.
- Have a list of frequently asked questions (FAQ) with clear answers on your website. The questions could cover dosage recommendations, seasonal flu information, simple at home tests patients can do themselves before calling your office etc.
- Have a process or a mechanism to screen calls. Instruct your front office staff to direct commonly asked questions from patients and physicians to the FAQ list. Make patients aware of the FAQ list and get them in the habit of checking it before calling you. Your staff time is valuable. Use it to answer more important, critical calls.
- Don’t make your website just a brochure with information about your office and bios. Make it interactive. Provide educational information that patients are looking for. Studies show that most Americans, including >60% of seniors, are on-line looking for answers to various health questions. It is better that they get the correct information from you-their doctor, than some unreliable website. If your practice is interested in raising awareness about certain health conditions, or promoting a health cause, an interactive website is a great way to do that.
- Implement policies and processes that increase practice efficiency and productivity and train your staff accordingly.
It is a matter of breaking old habits and replacing them with better ones. It’s not as difficult to do as you may think!
Building a successful dental/healthcare practice or any business is hard work. It takes time, money resources and most of all, a lot of patience. Believe me, I know because I am in the same boat. As a founder of Kinara Insights, I always think of how to connect and communicate more effectively with my clients, and partners. Given the rapid progress in technology and the rise of electronic methods of communication like email, texting and social media, it is imperative that we leverage them our advantage to provide better service to our clients.
I know a number of dental/healthcare practices are weary about using information technology. This apprehension is understandable. However, it does not need to remain that way. Taking your practice from a wholly paper based practice to a more digital based practice need not be done all at once. You can take simple steps now to start the conversion process. More technology can be phased in gradually when you and your staff are ready. People need time and training to get get used to system and a gradual transition is better than abrupt makeover. Here's what you can do .Start by using secure email to communicate with your patients and peers. Secure email encrypts your email messages and prevents anyone, except the intended recipient from reading the contents of the email. Implementing this email solution provides numerous benefits to your practice:
- Optimizes your workflow, increases efficiency and productivity
- Cuts down on phone tag
- Frees up staff time for other important matters
- Enables the practice to provide patient registration forms online
- Makes it convenient for the provider and patient to communicate securely
- Maintains compliance with the HIPAA security rule
As the saying goes” The journey of a thousand miles must begin with a single step”. Envision your practice utilizing the technology that can improve the quality of patient care you provide, and make you more productive and prosperous. Look at the long term. Think Big. Start Small. Take the first step!