A Year of Uncertainty: Healthcare in Flux

uncertainty-relation-2434282_640Healthcare experienced a large degree of uncertainty and fluctuation in 2017. Almost no day passed without news of action or activity impacting the industry. All of the back and forth left healthcare buffeted and ready for a rest. Unfortunately, that rest is unlikely to come in 2018. Before considering what could be on tap for 2018 though, it is important to review some of the major issues that impact healthcare in 2017.

Data breaches remain a top issue for which healthcare does not have an answer. Both the number of breaches that occurred and the number of records impacted climbed for another year. At this point, it almost feels as though there is no patient left in the country whose medical information has not been breached at some point, which assessment is most likely an exaggeration though not as big as would previously have been contemplated. The past year also saw two causes of the data breaches separate from the pack: (i) cyberattacks through vehicles such as ransomware, malware or phishing and (ii) insider threats. Earlier in the year, the pace of attacks equaled more than a breach per day, which the end of year data should hold true. As more and more data become exposed, the question of whether healthcare can be trusted actually maintain the privacy and security of data is a valid one to ask.

The difficulty arises from the number of systems connected within even one healthcare facility’s ecosystem as well as the inability to update some connected devices. As such, the number of avenues for an attack is numerous and sometimes without even the possibility of implementing a defensive mechanism. Such considerations also do not touch upon the insider risk, which can circumvent most security measures since the breach is caused by an individual with permissible access to the system. Overall, cyber risk and attacks left many in healthcare wondering when their organization would make a headline.

The transition to value-based care challenged the healthcare industry, whether providers or insurers, for many reasons. First, moving from a system based upon volume to value requires a major realignment of systems, objectives, and goals. The realignment has required a significant investment of time and resources to fundamentally modify operations. Many compared the move to value-based care as a retread of the failed movement to managed care in the 1990s. Unlike the 1990s though, the new move to value-based care included Medicare. As a result of the Affordable Care Act, Medicare began experimenting with accountable care organizations, bundled payments, and other innovation initiatives to bolster payment for quality. Many states also began to follow suit with Medicaid and introduce more aspects of managed care. The involvement of the major government payors arguably provided cover for private payors to engage in similar efforts.

While those efforts had been proceeding steadily albeit slowly through the end of 2016, the process hit a potential roadblock in 2017. Mixed signals and deliberate retrenchment from the Centers for Medicare and Medicaid Services left no clear answer as to whether Medicare will continue really driving value-based care initiatives. The focus of Medicare’s pullback was on the bundled payment or comprehensive care initiatives, whether cutting contemplated programs or not continuing to push the envelope with existing programs. While the end of the year potentially brought another shift in position, there is no clear answer. The shifting ground for value-based care opens the door to the question of whether investments have been for naught or changes will proceed without Medicare. The hope is value-based care will continue since maintaining the prior system was clearly not sustainable.

Consolidation, whether successful or thwarted, was the third major issue that cast a shadow over healthcare in 2017. The failed mergers of four of the largest insurers garnered a significant amount of attention. Providers feared the mergers would have curtailed the ability to negotiate “better” prices and consumers were uncertain as to what fewer insurance companies would mean in terms of plan options. While those fears were debated, they were not tested since court challenges by antitrust enforcers defeated both proposed transactions. The failed mergers actually resulted in one of the bigger surprises toward the end of the year, namely the merger of CVS and Aetna (not closed yet, but moving quickly). Instead of Aetna becoming an even larger insurance company, it will now team up with one of the largest pharmacy chains in the country and attempt to revolutionize the access to and delivery of care. While much speculation abounds as to what the combined CVS and Aetna will do, expect at least one unexpected action to occur.

While the insurance companies were playing games, providers (whether physicians or hospitals) also continued. The unstopped consolidation leaves small, independent practices a growing rarity, at least in some parts of the country. The consolidation also sparked a few analyses suggesting that the accumulation of small deals that could fly under the antitrust radar was resulting in market-dominant groups that should be subject to oversight. At the same time, the justification that consolidation is necessary for value-based care was often trotted out. Those assertions largely remain unproven, partially for some of the reasons discussed above that value-based care is not actually the primary means of reimbursement for pretty much all providers. Following both the failed and successful mergers, the question became who would be next and could the next deal make it through.

The final issue, at least for purposes of this article, generating uncertainty in healthcare is the increasing interest and activity of private equity (PE) or venture capital (VC) money in healthcare. Investors coming in through these means often expect a good return on the money put in with an eye toward selling the investment in a 3-5 year time period. Accordingly, PE and VC investors can seek to alter major portions of operations and shift the focus of an organization. Such changes can be jarring to previous owners who were used to operating in a certain manner and not used to others expecting to get a big return. The other impact of a PE or VC invest is that previous owners are also expected to remain involved, oftentimes with a decent sized investment, which binds the previous owner and subjects the previous owner to driving goals set by others.

At the same time, the PE or VC investors may also be new to healthcare and not fully cognizant of regulatory or other requirements. Getting up to speed on these issues can complicate transactions and operations post-closing. The feeling out period for both sides may generate impaired operations that impact unanticipated areas of an organization.

As highlighted by the issues discussed in this article, a lot happened in healthcare in 2017. The year was tumultuous with a lot of ups and downs. No area of the industry was immune. Only one thing can be said for certain, much of what happened could not be predicted at the beginning of the year, but the industry made it through. That is always the key, while uncertainty may remain, everyone must do the best that they can and remain focused on providing good care and keeping individuals in good health.

Posted in Accountable Care Organization, ACO, Business, Health IT, Healthcare, HIPAA, Regulations | Tagged , , , , | Leave a comment

Cost Conundrum for Value Based Care

change-1245949_640The healthcare system is rapidly adopting alternative payment methodologies and overall moving away from the traditional fee for service system. The primary form of alternative payment is value based care, which is also broadly categorized as paying for quality as opposed to quantity. As suggested, value based care focuses on a comprehensive approach to care and is largely considered to encourage thinking about cafe beyond the walls of a healthcare provider’s office.

At this point in time, value based care initiatives still represent significantly less than half of most providers’ reimbursements. While there are some exceptions to that rule, when thinking nationally, the percentage of providers with a large portion of value based reimbursement agreements is not overwhelming. Such circumstances exist despite multiple Medicare accountable care organization models, bundled payment initiatives, and similar programs or projects to move away from fee for service.

Since value based care focuses on quality, a greater incentive exists to expand the scope of care and types of services that are offered. Value based care often also directly leads to shared risk or capitated payments, where the provider is responsible for providing pretty much all care on a predetermined budget. Accordingly, the goal becomes how to keep patients healthy and minimize the risk of a serious complication in the future. As such, coordinating care in a variety of settings and also engaging with patients in different ways is encouraged. For example, case coordinators or care managers may help find out what social factors in a patient’s life are contributing to a particular outcome or issue. Integration with mental or behavioral health is also encouraged since mental and physical health issues can rarely be separated.

While value based care encourages an expanding array of services, each additional service costs money to provide. Arguably, value based care payments help to cover those costs because providers are no longer paid per service provided (fee for service) but instead based upon a range of factors about the patient population being served. Since payment comes in regardless of whether services are provided and there is an incentive to avoid providing an abundance of traditional services, the capitated or monthly payment can be used to cover the cost of the newer, non-traditional services. Such is the ideal scenario.

As so often happens, the reality differs. The cost of providing the additional services, both in terms of staff compensation and the services, can easily outpace the revenue difference seen from preset payments as opposed to service-based payments. Engaging in a fundamental transformation of operations is not cheap. Many organizations cannot afford to change to a model that could succeed in the new world or the cost of changing eats up any potential extra revenue generated by controlling costs.

A prime example of the difficulty to transform systems can be seen in the background for the upcoming transition of MassHealth (Medicaid in Massachusetts) to delivering at least eighty percent (80%) of care through accountable care organizations. The reform of MassHealth is being accomplished through a waiver with the federal government. The waiver includes $1.8 billion of federal funding to help pay for the cost of providers implementing new care models and otherwise delivering a different type of care. The $1.8 billion will be paid out over five years. The funding is great, but to some degree ignores a looming question suggested above: what happens when there is no supplemental funding? Will organizations be able to keep new programs in place, or will delivery revert back to how it was because staff cannot be paid and new infrastructure is too expensive? The answer to that question will determine whether there is a fundamental flaw built into value based care, or if ingenuity can really change the healthcare system.

The other major challenge in the value based care world is the moving targets of how success is defined and the variety of definitions of success. Each value based care program )whether thinking about one of the many Medicare programs, any state’s Medicaid program or a privately run program) uses different measures for success. While the measures may be the same, the means of proving that the measure was satisfied can be different. Those differences can be significant or minimal. Regardless of the scope of the difference, the fact that a difference exists means more cost for each provider to succeed and potentially having to do the same thing in a slightly different way. Further, the measures used may not even be reflective of high-value care, making the incentive almost perverse. Until quality measures can be refined, some providers may be scared away from one or more or even all value based care programs for fear of being penalized for trying to do the right thing.

While there is near universal agreement that the healthcare system cannot remain as it has been, value based care is also not accepted as the guaranteed solution. Many challenges remain and many questions exist as to the ability to fund the change. While those challenges exist, they should not be viewed as insurmountable challenges and especially not as a reason to avoid change. There will be and has been pain, but that will hopefully lead to a solution that works across the board and truly achieves the goal of improving the quality of care received by all.

Posted in Accountable Care Organization, ACO, Business, Healthcare Reform | Tagged , , , , | Leave a comment

I Spy, A HIPAA Breach?: Video Recording in Healthcare

smartphone-2790799_640Video recording has been as simple as turning on a smartphone and videos appear on the internet all of the time. Police body cameras are another growing area where a video is taken every day and in all sorts of locations. When those videos record activities in a hospital, physician’s office, or other healthcare settings, what is permissible? It is questions being raised with increasing frequency and one that is challenging to organizations. Like so many regulatory requirements or conundrums, the answer is not so clear. Who wants to make the recording, the circumstances surrounding the recording, and other factors play into what may be allowed or what could result in a HIPAA violation. While the outcome will depend upon the specific facts and circumstances, some HIPAA awareness can be generated by considering a few different scenarios where recording may occur.

Scenario #1 – A physician starts a patient examination and is seeing a reaction or behavior that is pretty unique. Since the situation is unique, the physician wants to be able to show some of the actions or interaction with colleagues. TO do this, the physician takes out their smartphone and starts recording. The physician then sends the recording to some physician friends to solicit other opinions or ideas. Was the recording allowed?

Taking the scenario on its face, the physician’s actions would be quite troubling under HIPAA. The physician recorded a patient encounter, so it is highly likely that some amount of identifying information appeared in the video. Second, the video is being stored on what is probably a personal smartphone with potentially unknown security protections. Lastly, the video is then being sent to other individuals who may not work at the same organization, which means information is being sent out into the open, which concern is not alleviated by the recipients also being physicians.

With all of the potential concerns, what could have been done differently? The physician could have asked the patient if recording was ok with the patient. The patient’s response then could have been documented and, assuming an affirmative response, the authorization would help in clearing up concerns. An authorization from the individual whose information is impacted is one of the golden keys under HIPAA.

However, the authorization does not resolve privacy concerns around storing information on a personal device or sending the information to individuals outside the organization. From the device perspective, organizations need to have a “bring your own device” policy in place that sets out how and when personal devices can be utilized. If storing HIPAA covered information is unavoidable, then the device should be equipped with appropriate security measures. Good security measures can anticipate the device being lost or stolen or some other form of compromise.

The last major issue presented by the scenario is the transmission of the information by the physician to friends outside the organization. HIPAA permits sharing of protected health information for treatment purposes, so could sending questions to a peer group qualify? The answer is not clear as an argument could be made that such sharing is equivalent to the old so-called hallway consult. That argument could be strained though since the hallway consult at least would typically involve providers who were all in the same group or office. A group of friends who happen to by physicians is different. The friend group likely does not have any relationship with the patient, which would extend a determination that no treatment relationship exists or would exist. Sending information to friends in this context is most likely not consistent with HIPAA requirements and should not be allowed. The situation could be remedied by sending information that is de-identified or seeking a second view from a direct colleague.

Scenario #2 – A patient presents in the emergency room with a bunch of friends. As happens so often now, one of the friends wants to document what is happening. To do this, the friend starts taking short videos and posts them on a social media site. Was the recording a HIPAA violation?

When a recording in a healthcare facility, whether a hospital or medical office, is made by a visitor, the HIPAA concerns become significantly more nuanced. HIPAA only applies to covered entities, business associates, and subcontractors. The privacy and security requirements of HIPAA do not apply to patients or their visitors. If a visitor takes a video, that video does not necessarily result in a HIPAA violation. If the patient is not happy, it is ultimately up to the patient to take up that issue with the visitor.

That being said, the healthcare facility cannot and should not turn a blind eye to the recording. From the universal perspective, a recording and video policy should be adopted. The policy would not necessarily be limited solely to instances of recording by visitors, but cover all forms of potential recordings. Thinking of visitors specifically, the policy can limit when, who and how recordings could be made. As noted above, the facility cannot stop the patient from being recorded by a visitor, but can restrict when physicians, providers or other staff could be recorded as well as aiming to prevent other patients from being included in the video.

Consideration of other patients is where a facility could run into HIPAA complications. HIPAA expects reasonable efforts to be undertaken to protect the privacy of all protected health information, which means all patients. In the recording context, that obligation arguably extends to preventing and/or minimizing the inclusion of patients or information in a video. As such, if a facility does nothing to control visitors from freely recording other patients, provider interactions, or other bits of action in the facility, a HIPAA risk could be generated. As suggested, a policy covering recording will help to refute such a claim and inform visitors as to what will be permissible. Accordingly, the basic tenets of the policy should be clearly communicated, for example by posting signs stating that recording is not allowed and that the facility can request that any recording made be deleted. In conjunction with publicly posting the policy, staff should be educated and empowered to enforce the policy. While a policy and enforcement may not stop all unapproved or undesired recordings, it can establish the reasonableness of the facility’s approach.

Scenario #3 – A police officer comes to a hospital because it is believed that a suspect connected to a crime is a patient at the facility. The officer is wearing a body camera that is constantly recording and is attached to the officer.

From one perspective, a police officer is no different than any other visitor. The officer does not work for the facility, is not a patient and is arguably arriving to “visit” an actual patient. Since the officer is coming into the facility to see an individual being treated by the facility, the officer should not be treated any differently. That would mean applying the facility’s recording policy.

However, the police officer may feel like a different sort of visitor or make an assertion that HIPAA does not apply to them or that they are otherwise entitled to make a recording and/or access information. It is accurate to a degree to state that police officers and other law enforcement officials may be the recipients of protected health information without needing to obtain an authorization or give an individual the opportunity to object. The use and disclosure to law enforcement may be fairly broad, but limited at the same time. The following are most of the allowed uses and disclosures: (i) as required by law including reporting of certain types of wounds or other physical injuries, (ii) in compliance with a court order or subpoena or similar administrative request, (iii) for identification or location purposes, but only information specified in the rule, (iv) information about someone who is or is suspected to be a victim of a crime if the individual agrees or based upon representations of the law enforcement official if the person is incapacitated and the information is needed to help catch the criminal and will not be used against the individual, or (v) reporting crime in emergencies. As indicated, the scope of information that can be shared is broad, but does not necessarily permit a police officer or law enforcement official to freely walk around a healthcare facility and record what the officer observes.

As already suggested, the best course for the healthcare facility would be to implement a uniform policy and consistently enforce that policy. Since law enforcement could represent a unique circumstance, coordination between the healthcare facility and the local police station or other law enforcement agency would be beneficial Advance communication and understanding could help to defuse potentially high tension circumstances.

The growing popularity and ease of video recordings make awareness of the interaction between video and HIPAA essential. As with so many other areas of HIPAA compliance, advance knowledge can help avoid misunderstandings and negative confrontations.

Posted in Compliance, HIPAA, Regulations | Tagged , , , , , | Leave a comment