Cost Conundrum for Value Based Care

change-1245949_640The healthcare system is rapidly adopting alternative payment methodologies and overall moving away from the traditional fee for service system. The primary form of alternative payment is value based care, which is also broadly categorized as paying for quality as opposed to quantity. As suggested, value based care focuses on a comprehensive approach to care and is largely considered to encourage thinking about cafe beyond the walls of a healthcare provider’s office.

At this point in time, value based care initiatives still represent significantly less than half of most providers’ reimbursements. While there are some exceptions to that rule, when thinking nationally, the percentage of providers with a large portion of value based reimbursement agreements is not overwhelming. Such circumstances exist despite multiple Medicare accountable care organization models, bundled payment initiatives, and similar programs or projects to move away from fee for service.

Since value based care focuses on quality, a greater incentive exists to expand the scope of care and types of services that are offered. Value based care often also directly leads to shared risk or capitated payments, where the provider is responsible for providing pretty much all care on a predetermined budget. Accordingly, the goal becomes how to keep patients healthy and minimize the risk of a serious complication in the future. As such, coordinating care in a variety of settings and also engaging with patients in different ways is encouraged. For example, case coordinators or care managers may help find out what social factors in a patient’s life are contributing to a particular outcome or issue. Integration with mental or behavioral health is also encouraged since mental and physical health issues can rarely be separated.

While value based care encourages an expanding array of services, each additional service costs money to provide. Arguably, value based care payments help to cover those costs because providers are no longer paid per service provided (fee for service) but instead based upon a range of factors about the patient population being served. Since payment comes in regardless of whether services are provided and there is an incentive to avoid providing an abundance of traditional services, the capitated or monthly payment can be used to cover the cost of the newer, non-traditional services. Such is the ideal scenario.

As so often happens, the reality differs. The cost of providing the additional services, both in terms of staff compensation and the services, can easily outpace the revenue difference seen from preset payments as opposed to service-based payments. Engaging in a fundamental transformation of operations is not cheap. Many organizations cannot afford to change to a model that could succeed in the new world or the cost of changing eats up any potential extra revenue generated by controlling costs.

A prime example of the difficulty to transform systems can be seen in the background for the upcoming transition of MassHealth (Medicaid in Massachusetts) to delivering at least eighty percent (80%) of care through accountable care organizations. The reform of MassHealth is being accomplished through a waiver with the federal government. The waiver includes $1.8 billion of federal funding to help pay for the cost of providers implementing new care models and otherwise delivering a different type of care. The $1.8 billion will be paid out over five years. The funding is great, but to some degree ignores a looming question suggested above: what happens when there is no supplemental funding? Will organizations be able to keep new programs in place, or will delivery revert back to how it was because staff cannot be paid and new infrastructure is too expensive? The answer to that question will determine whether there is a fundamental flaw built into value based care, or if ingenuity can really change the healthcare system.

The other major challenge in the value based care world is the moving targets of how success is defined and the variety of definitions of success. Each value based care program )whether thinking about one of the many Medicare programs, any state’s Medicaid program or a privately run program) uses different measures for success. While the measures may be the same, the means of proving that the measure was satisfied can be different. Those differences can be significant or minimal. Regardless of the scope of the difference, the fact that a difference exists means more cost for each provider to succeed and potentially having to do the same thing in a slightly different way. Further, the measures used may not even be reflective of high-value care, making the incentive almost perverse. Until quality measures can be refined, some providers may be scared away from one or more or even all value based care programs for fear of being penalized for trying to do the right thing.

While there is near universal agreement that the healthcare system cannot remain as it has been, value based care is also not accepted as the guaranteed solution. Many challenges remain and many questions exist as to the ability to fund the change. While those challenges exist, they should not be viewed as insurmountable challenges and especially not as a reason to avoid change. There will be and has been pain, but that will hopefully lead to a solution that works across the board and truly achieves the goal of improving the quality of care received by all.

Posted in Accountable Care Organization, ACO, Business, Healthcare Reform | Tagged , , , , | 2 Comments

I Spy, A HIPAA Breach?: Video Recording in Healthcare

smartphone-2790799_640Video recording has been as simple as turning on a smartphone and videos appear on the internet all of the time. Police body cameras are another growing area where a video is taken every day and in all sorts of locations. When those videos record activities in a hospital, physician’s office, or other healthcare settings, what is permissible? It is questions being raised with increasing frequency and one that is challenging to organizations. Like so many regulatory requirements or conundrums, the answer is not so clear. Who wants to make the recording, the circumstances surrounding the recording, and other factors play into what may be allowed or what could result in a HIPAA violation. While the outcome will depend upon the specific facts and circumstances, some HIPAA awareness can be generated by considering a few different scenarios where recording may occur.

Scenario #1 – A physician starts a patient examination and is seeing a reaction or behavior that is pretty unique. Since the situation is unique, the physician wants to be able to show some of the actions or interaction with colleagues. TO do this, the physician takes out their smartphone and starts recording. The physician then sends the recording to some physician friends to solicit other opinions or ideas. Was the recording allowed?

Taking the scenario on its face, the physician’s actions would be quite troubling under HIPAA. The physician recorded a patient encounter, so it is highly likely that some amount of identifying information appeared in the video. Second, the video is being stored on what is probably a personal smartphone with potentially unknown security protections. Lastly, the video is then being sent to other individuals who may not work at the same organization, which means information is being sent out into the open, which concern is not alleviated by the recipients also being physicians.

With all of the potential concerns, what could have been done differently? The physician could have asked the patient if recording was ok with the patient. The patient’s response then could have been documented and, assuming an affirmative response, the authorization would help in clearing up concerns. An authorization from the individual whose information is impacted is one of the golden keys under HIPAA.

However, the authorization does not resolve privacy concerns around storing information on a personal device or sending the information to individuals outside the organization. From the device perspective, organizations need to have a “bring your own device” policy in place that sets out how and when personal devices can be utilized. If storing HIPAA covered information is unavoidable, then the device should be equipped with appropriate security measures. Good security measures can anticipate the device being lost or stolen or some other form of compromise.

The last major issue presented by the scenario is the transmission of the information by the physician to friends outside the organization. HIPAA permits sharing of protected health information for treatment purposes, so could sending questions to a peer group qualify? The answer is not clear as an argument could be made that such sharing is equivalent to the old so-called hallway consult. That argument could be strained though since the hallway consult at least would typically involve providers who were all in the same group or office. A group of friends who happen to by physicians is different. The friend group likely does not have any relationship with the patient, which would extend a determination that no treatment relationship exists or would exist. Sending information to friends in this context is most likely not consistent with HIPAA requirements and should not be allowed. The situation could be remedied by sending information that is de-identified or seeking a second view from a direct colleague.

Scenario #2 – A patient presents in the emergency room with a bunch of friends. As happens so often now, one of the friends wants to document what is happening. To do this, the friend starts taking short videos and posts them on a social media site. Was the recording a HIPAA violation?

When a recording in a healthcare facility, whether a hospital or medical office, is made by a visitor, the HIPAA concerns become significantly more nuanced. HIPAA only applies to covered entities, business associates, and subcontractors. The privacy and security requirements of HIPAA do not apply to patients or their visitors. If a visitor takes a video, that video does not necessarily result in a HIPAA violation. If the patient is not happy, it is ultimately up to the patient to take up that issue with the visitor.

That being said, the healthcare facility cannot and should not turn a blind eye to the recording. From the universal perspective, a recording and video policy should be adopted. The policy would not necessarily be limited solely to instances of recording by visitors, but cover all forms of potential recordings. Thinking of visitors specifically, the policy can limit when, who and how recordings could be made. As noted above, the facility cannot stop the patient from being recorded by a visitor, but can restrict when physicians, providers or other staff could be recorded as well as aiming to prevent other patients from being included in the video.

Consideration of other patients is where a facility could run into HIPAA complications. HIPAA expects reasonable efforts to be undertaken to protect the privacy of all protected health information, which means all patients. In the recording context, that obligation arguably extends to preventing and/or minimizing the inclusion of patients or information in a video. As such, if a facility does nothing to control visitors from freely recording other patients, provider interactions, or other bits of action in the facility, a HIPAA risk could be generated. As suggested, a policy covering recording will help to refute such a claim and inform visitors as to what will be permissible. Accordingly, the basic tenets of the policy should be clearly communicated, for example by posting signs stating that recording is not allowed and that the facility can request that any recording made be deleted. In conjunction with publicly posting the policy, staff should be educated and empowered to enforce the policy. While a policy and enforcement may not stop all unapproved or undesired recordings, it can establish the reasonableness of the facility’s approach.

Scenario #3 – A police officer comes to a hospital because it is believed that a suspect connected to a crime is a patient at the facility. The officer is wearing a body camera that is constantly recording and is attached to the officer.

From one perspective, a police officer is no different than any other visitor. The officer does not work for the facility, is not a patient and is arguably arriving to “visit” an actual patient. Since the officer is coming into the facility to see an individual being treated by the facility, the officer should not be treated any differently. That would mean applying the facility’s recording policy.

However, the police officer may feel like a different sort of visitor or make an assertion that HIPAA does not apply to them or that they are otherwise entitled to make a recording and/or access information. It is accurate to a degree to state that police officers and other law enforcement officials may be the recipients of protected health information without needing to obtain an authorization or give an individual the opportunity to object. The use and disclosure to law enforcement may be fairly broad, but limited at the same time. The following are most of the allowed uses and disclosures: (i) as required by law including reporting of certain types of wounds or other physical injuries, (ii) in compliance with a court order or subpoena or similar administrative request, (iii) for identification or location purposes, but only information specified in the rule, (iv) information about someone who is or is suspected to be a victim of a crime if the individual agrees or based upon representations of the law enforcement official if the person is incapacitated and the information is needed to help catch the criminal and will not be used against the individual, or (v) reporting crime in emergencies. As indicated, the scope of information that can be shared is broad, but does not necessarily permit a police officer or law enforcement official to freely walk around a healthcare facility and record what the officer observes.

As already suggested, the best course for the healthcare facility would be to implement a uniform policy and consistently enforce that policy. Since law enforcement could represent a unique circumstance, coordination between the healthcare facility and the local police station or other law enforcement agency would be beneficial Advance communication and understanding could help to defuse potentially high tension circumstances.

The growing popularity and ease of video recordings make awareness of the interaction between video and HIPAA essential. As with so many other areas of HIPAA compliance, advance knowledge can help avoid misunderstandings and negative confrontations.

Posted in Compliance, HIPAA, Regulations | Tagged , , , , , | Leave a comment

Relief from HIPAA: When, If Ever, Is It Necessary

freedom-1886402_640The seemingly non-stop move from one natural disaster or health emergency to another places a significant strain on the healthcare system. Providers either cannot reach a facility, whether hospital or otherwise, or patients overwhelm a particular facility. Additionally, patients from other locations may be swept up in an event and brought into the healthcare setting well away from their home. At such a time providers and healthcare facilities should be focused solely on providing care and doing everything possible to reduce or mitigate harm. HIPAA should not enter into conscious thought or be used as an excuse or barrier to keeping individuals or family members up to date on what is happening. While that is the ideal scenario, the reality is often far different.

Given the unfortunate reality that HIPAA is often misused, both at calm times and in times of stress, the Department of Health and Human Services and Office for Civil Rights have gone down the road, whether real or advertised, of “waiving” enforcement of HIPAA. For example, following Hurricanes Harvey, Irma and Maria, limited waivers of HIPAA were announced.  Each waiver stated that entities did not need to comply with the following, specified requirements of HIPAA: (i) obtaining a patient’s consent before speaking with a family member or friend involved in their care, (ii) honoring a request to opt out of a facility directory, (iii) distributing a notice of privacy practices, (iv) honoring a request for privacy restrictions, and (v) honoring a request for confidential communications.  In reality, only the waiver of notice of privacy practices requirements likely had any impact. Each of the other elements identified should not have posed much of an issue for an entity to satisfy.

Both speaking with family members or others involved in an individual’s care and listing in a facility directory are uses and disclosures that require giving the individual the opportunity to object. Further, both types of use and disclosure specifically lay out what to do in the event of an emergency. In an emergency, created by incapacity or exigent circumstances, the covered entity can use reasonable judgment to disclose some of the permitted information. In the case of a family member or other person involved in the individual’s care, a disclosure would likely encompass confirming that the individual is present and potentially the condition that that individual is facing. A facility directory will contain much of the same information. Since such uses and disclosures only require the opportunity to object, why is a waiver from complying necessary?

Turning to honoring a request for privacy restrictions, except for the limited circumstance of withholding information when paid out of pocket, complying with a request for restrictions is purely discretionary. The HIPAA Privacy Rule does not obligate a covered entity to grant a patient’s request. If that is the case, why was a waiver necessary? Arguably, such a waiver creates a false impression of leniency.

The waiver on honoring a request for confidential communications is similar. The HIPAA Privacy Rule requires covered entities to permit an individual to request confidential communications and must accommodate reasonable requests. Even in an emergency, it is possible to document a request and put a notation in. It is also a bit of a stretch to think that an individual who has just survived a hurricane is thinking about restricting how a hospital or provider will follow up about treatment provided. As indicated, this waiver seems like much ado about nothing.

Turning to epidemics and treatment related crises, the opioid crisis is the event grabbing the most headlines. Following the declaration that the opioid crisis constitutes a health emergency, HHS and OCR produced a document explaining how physicians and likely all covered entities can respond. Many mainstream media outlets and others identified the statement as a relaxation of HIPAA requirements or a waiver. Such assertions are not accurate. Instead, the document outlines permissible uses and disclosures under the HIPAA Privacy Rule, without modification, that will enable appropriate information to be pushed out. The guidance leans heavily upon uses and disclosures that require the opportunity for an individual to object and uses and disclosures where no opportunity to object is necessary. The first category (opportunity to object) was discussed in connection with the hurricane waivers. An opportunity to object does not necessarily mean specifically asking the individual. It could arguably be accomplished by starting to engage in the use or disclosure in front of the individual and if nothing is done to stop the communication, then no objection is implied.

Uses and disclosures not requiring an opportunity to object constitute the larger category. This portion of the HIPAA Privacy Rule contains twelve scenarios, some of which are comprised of multiple sub-scenarios. The uses and disclosures include for public health activities, certain abuse situations, where the individual poses a serious risk of imminent harm to themselves or others, health oversight activities, and many others. The ability to use and disclose information without objection or consent fits within the fairly permissive scheme that HIPAA actually implements, but is so often not appreciated.

While only a fraction of the uses and disclosures that HIPAA really allows was discussed above, it should be clear that HIPAA is not the problem during a natural disaster or health crisis. Instead, as usual, the problem is a failure to fully appreciate how HIPAA operates. Instead of complaining about HIPAA, let us ensure that all are fully educated and trained.

Posted in Compliance, Healthcare, HIPAA, HITECH, Physicians, Regulations | Tagged , , , , , , | 1 Comment