HIPAA Compliance Part II: Cloud Security and Cyberinsurance

Last week we talked about HIPAA compliance as an ongoing process. Part of the reason that it must be ongoing is that the world changes. We are constantly offered new ways of doing the business part of behavioral health practice, and each of those new methods must be evaluated in light of the privacy and security requirements of HIPAA. For example, I know that many of you have gone to multipurpose copy/print/fax machines. Hopefully, you remember that the hard drives in those machines store most things that you photocopy, print or fax. When you eventually get rid of that machine, you will need to remove and destroy the hard drive in order to be sure the information you have processed does not leave your organization.

Another arena in which many of our customers now find themselves is access to Protected Health Information (PHI) “in the cloud”. Some customers back up their data to some sort of cloud storage. Some of you are using EMRs or eRx tools that are accessed from the Internet. Some of you have for years had practitioners access your billing and clinical record software remotely, connecting by means of a remote control product or something like Windows Terminal Services. All of these activities require that you make sure your processes are HIPAA compliant…and that does not mean that the service provider says they are.

HIPAA requires that data be secured both when it is “at rest” and when it is “in motion” using certain NIST standards. The requirements are pretty technical; interpretation of the rules extends to specific actions that must be taken by the Covered Entity. This generated some interesting discussion on our SOS User Group.

Dr. B posted: When PHI is stored on a website, how should that PHI be accessed? When are those computers considered secure in accessing that information? Obviously, it is not enough to assume that because the website is secure (has secure log in features), it is HIPAA compliant to access that website from any computer, anywhere. So, to what lengths must a business owner [go] when allowing staff to access PHI stored on the internet? How locked down and monitored should staff computers [be]?

I have heard a whole range of responses as to what people believe is necessary.

1. Some let their staff access the web-based PHI from any computer.

2. Some tell their staff to just be sure to clear the browser history, and they’ll be OK.

3. Some believe they are OK just having their staff sign an agreement that they are accessing PHI on a personal computer that is encrypted and has antivirus.

4. Some believe they have to buy computers for the staff and it is the owners responsibility to secure and monitor those computers in an ongoing fashion. That is, staff are not allowed to access the web-based PHI from a personal computer.

5. Some believe it is OK to use a type of VPN connection from a personal computer through an app such as “Remote App” because this apps gives access to a “virtual server” on the cloud. This app, provided by Microsoft, will only allow the user to access designated websites like the one where the PHI is stored.

Regarding option #3, I have heard from IT experts that “people are stupid” when it comes to understanding computers. SO while they may think they have good antivirus and are doing security updates, most are way off base. And if something happens, it falls at the owners feet (or wallet) not on the staff person who signed an agreement.

Lastly, I heard from a few IT experts who believe that in the next two years there will be many midsize healthcare companies that get nailed with big fines, and these people will be the unfortunate test cases.

After SOS staff discussion in our HIPAA training meeting, Seth replied: Secure use of cloud resources that involve PHI requires:
  • Encrypted storage at the cloud service provider.
  • Encryption of data being passed back and forth – preferably VPN/Virtual Private Cloud.
  • Secure client end-point.
I think your question is specifically about security at the client side, so let’s now look at the factors there:
  • Hardware and operating system factors
    • Operating system updates
    • Virus and malware protection
    • Encryption of local storage, especially on portable equipment
    • Others using the equipment MUST use a separate log-in. This is a big issue for those working from home.
    • Use short timeouts so that system locks when not being used and when “sleeping”.
    • Chromebooks and Chromeboxes provide all the above automatically and have the advantage of being less expensive (approximately $200 per unit) than similar traditional PC’s. The advantage is that the user does not have to do ANYTHING to secure it, beyond using a strong login/encryption password. Any device that requires the user to have some technical know-how and consciously follow certain procedures (like applying updates) regularly is going to be problematic.
  • Access security
    • Serious password policies that don’t permit short, common passwords like ‘password’, ‘abc123’, ‘qwerty’ and the like. Policies for password complexity must be enforced by the systems used.
    • Two factor authentication is highly desirable and should be used whenever possible.
    • If system permits, implement a whitelist that only permits log-in from computers/devices with registered MAC addresses.
  • WiFi and other local network security issues
    • WPS should be disabled on routers.
    • UPnP (Universal plug and play) should be disabled on routers.
    • WPA-2 security is the minimum acceptable wifi security.
    • Firmware on routers should be kept up to date.
    • If connecting from home, professional rather than consumer router should be used.
  • Human Factors
    • Train, train, and train some more. Users must be sensitized to the vulnerabilities and to the fact that PHI theft is BIG business. A single PHI record is worth approximately $50 on the black market because of its value in both identity theft and use in filing false claims.
    • Having policies is essential, but to prevent breaches and HIPAA violations, your staff must understand why the policy is there, and the importance of adhering to it.

It is natural to downplay the importance of devices that just ACCESS rather than store PHI, but this recent article explains how even a cellphone, on which data is not actually stored, can result in major problems:

The same day this discussion occurred, I received an invitation to download a white paper through Healthcare Informatics magazine. The 7 Essential Layers of Secure Cloud Computing is a paper produced by ClearData corporation, a company that specializes in security for healthcare organizations. The paper is provided for you with their permission.

The final element of this HIPAA discussion related to cyber insurance. Dr. K, who is seeking outside assistance on developing and implementing his HIPAA plan was asked whether his group carries cyber-insurance.

 Dr. K: Anybody heard of “cyber insurance”? According to the organization consulting with us, it is a policy that helps cover costs in the event of a breach.  It’s inexpensive and worth considering.

Thoughts?

Dr. B: Definitely. I recall that we have a rider on our policy, but I need to double check that.

Dr. G: Would we need cyber insurance if we do not have internet in our office?

Seth responded: If you are an SOS customer, you obviously store and manage PHI in electronic form. Unless you are scrupulous about encrypting and otherwise safeguarding that data, then conceivably you could suffer a significant breach. Let’s say that the machine on which you store your SOS database is not encrypted and were to be stolen. Are you prepared to handle the fines, notification of patients, purchase of identity theft insurance for your patients, etc? Would you feel more comfortable if you had some insurance to help you with those costs?

Whether you NEED it or not is a call only you can make.

And that, my friends, is the bottom line when it comes to HIPAA privacy and security requirements. The law requires a great deal. The requirements are scalable based on the size of your organization. Only you can determine what is enough for your organization to do, keeping in mind that even small behavioral health organizations have begun to be fined for irresponsible handling of their security and privacy responsibilities that resulted in a breach. Can your organization survive the repercussions of a PHI breach? How are you handling these issues?

HIPAA Compliance: How are you managing privacy and security?

In the past week, there has been a bit of a discussion on our User Group about really complying with HIPAA in a mid-sized to large behavioral health practice. It also applies to small organizations. This is Part I of that discussion.

The fact that the HIPAA privacy requirements were implemented in 2003 does not mean that most mental health organizations—or most medical practices, for that matter—actually do a good job with their compliance. Since the HiTech Act added security requirements including a Risk Assessment almost six years ago, many organizations are not compliant. Somehow, people in both the private and public sectors seem to forget that HIPAA compliance is an ongoing discipline, not a one time act.

The discussion participant who is co-owner of a mid-sized practice is interested in doing the compliance plan himself (Mr.Z), but he has concerns about having time to monitor ongoing implementation of the plan. His colleague (Dr. K), who is owner of a quite large practice, has decided that their situation is becoming too complex to handle on their own. They will be hiring an organization who is expert in doing Risk Assessments and developing HIPAA Compliance Plans, and who will help them stay on track in their implementation of the plan over time. Seth and Kathy are SOS owners.

Here is part of the exchange:

Mr. Z: I have found time to dig into the HIPAA challenge aggressively. I am aware there is a difference between a HIPAA Security Evaluation and a Risk Analysis. I am also using the Security Risk Assessment Tool found at HealthIT.gov for my security evaluation. I need to be re-pointed to a good format for a risk analysis tool. Can someone point me to a risk analysis tool they have been using?


Seth:
The HealthIT.gov Security Risk Assessment Tool is the risk analysis tool. As you work through each item, the relevant ones will display two items for you to rate likelihood and impact, which together indicate the “risk”. For example, the likelihood of a stolen unencrypted laptop may be low, but the impact would be huge, so it demands attention and correction. The public mention of a patient name might have a much lower impact, but a much higher likelihood, so it too should be addressed through policies and staff education. In working through the tool, the two ratings taken together provide a ranking that helps you decide which threats are highest priority.

Bottom line is that this tool should provide sufficient structure to get the job done, I think. Is there some ground that is not covered by the Security Risk Assessment Tool?

For those who are not aware of this resource, please visit:

http://www.healthit.gov/providers-professionals/security-risk-assessment

and watch the associated video:

http://www.healthit.gov/providers-professionals/video/security-risk-analysis


Kathy:
 I am going to express an opinion, Mr. Z. It is aimed at helping you and other user group members evaluate some of what you read about HIPAA compliance.

The article that you mentioned [in another part of his message] is written by a company that specializes in providing risk analyses for a price. They are specialists in this arena, understanding the differences between privacy and security as defined by HIPAA and the HiTech Act. The other articles and elucidations available on their web site are aimed at helping you understand how much they know and that they are truly expert in their field. It is highly likely that they are.

The question is, do you need their level of expertise? Do you have the time and are you able to sort through the many articles and checklists out there? Do you understand enough about technical security to assure that your computer systems meet standards? When you start reading about this stuff, do you get curious and interested or just want to run and hide?

The HHS tool for risk assessment is aimed at small to mid-sized organizations whose situation is not so complicated that outside expertise is required. If that describes your organization, then do use the HHS tool as a starting place for your own assessment. Just be careful about considering it exhaustive; it is not likely to be that.

It is never going to remind you that you provide group psychotherapy and that groups present inherent security and privacy risks that you should address in your plan. For example, you probably have a written agreement that each group member signs about maintaining the privacy of other group participants. That should be included in your assessment as a source of risk and you should include your agreement in your plan. If you limit name use in group to first names, you need procedures to guarantee that. Your staff need written policies and procedures that they follow to maintain the privacy of those group members. If your staff utilize paper files and have a stack of those records in the group session (or on their desks), how do they protect the privacy of the members? What security methods are used to protect those records? Is there at least a lock on their office doors, and do those locks get used? How easy is it for a group member heading to the restroom to stick their head into that office?

This is the kind of thing that a well-qualified HIPAA security/privacy professional would ask you as they interview you about your practice. They would look at as many possible sources of risk as they can find and then help you address them in your plan. This is what you pay someone to do. Are you comfortable doing this yourself? Even if outside expertise is not required to get you to a plan, you might decide that you want to purchase it anyway. It may be that using an outside source to do your risk assessment and point you toward the policies you need to develop would be a wonderful help to you. Or, it may not.

I think a helpful attitude to take when beginning a risk assessment is to be as open as possible to information and observations…and don’t expect to find everything yourself. Each of your staff members and employees has certain sets of responsibilities and interactions with PHI. Once you have done an overview for the organization, you need to sit with different employees (all if possible) in small groups and get their input about how they handle PHI. They will have perspectives you cannot even imagine! Their observations will be invaluable to you in developing your plan.

As you read and research, just remember the source of the material. It is not essential for everyone to hire professionals to do their risk assessment and security plan for them. Don’t be too heavily swayed by such professionals who disparage the home-grown assessment and plan. If the HHS.gov materials are too simplistic for your organization, you may need consultation. On the other hand, if the materials HHS.gov provides seem complicated beyond what you can decipher and you are in danger of using that as an excuse not to develop a plan, it is time for you to get assistance on HIPAA compliance.


Dr. K
wrote in part:  …But if you run almost any size group, the more I find out about the complexities of remaining compliant (Geez, I had not even thought about the specialized group therapy HIPAA issues), the more I know I need specialized assistance and cannot possibly create what is needed on my own, and more importantly, continue to monitor compliance in all offices and with all staff as we grow…..


Seth:
  
At a certain point, larger practices will have to do some outsourcing, hire a compliance officer, or designate a staff member to put a significant portion of their time into getting trained and implementing the systems needed to get closer and closer to compliance.

I want to point out, however, that no matter how much you try to outsource, there still will be much more internal work and training than you imagine to achieve compliance. It is like psychotherapy, in a way. You can counsel a patient about how s/he can make meaningful changes, but then it is up to the patient to put in the work when they leave your office. If no work is done outside the office, no substantial change will occur. Just as this patient can end up dropping many thousands of dollars on therapy and end up with no benefit, so can you if you think for one second that you can hire someone to take HIPAA compliance off your hands. That is not the way it works. You will be “prescribed” policies and procedures, and you and your staff must learn them, follow them, and document your compliance.
Auditors say that having policies and procedures that you don’t follow, is little better than not having them at all. You are going to end up with compliance logs of various types. If there are not regular entries in those logs (made by YOU and/or YOUR STAFF, not by some hired gun) then you are not making a good faith effort toward compliance. These experts can create a list of stuff that you should be doing, and make suggestions about how to get the tasks done, but most cannot be done for you.
The larger you are, of course, the more risk and the more potential points of failure you have. I don’t envy either of you, but I offer this advice: get references and follow up on them before signing a contract. It is one thing to know the HIPAA regulations; it is quite another to be the kind of person who can motivate a group of psych folks to change their attitudes and behavior!
Another analogy occurs to me — weight loss. You all know how easy it is to write up a plan to change eating and exercise behavior, how hard it is to motivate yourself or your patients to follow through, and how much harder still it is to keep the changed behavior going month after month, and year after year.

Reading this exchange reminded me that it might be time to re-share some of the links to important information about HIPAA and HiTech.

You can go to the HHS website and search for HIPAA. The Office for Civil Rights is the official enforcer for HIPAA. Many professional organizations have materials available to their members. A quick Google search for ‘hipaa risk assessment tools apa’ produced a good deal of information. Over the course of the past several years we have posted on this topic regularly. Take a look at our articles from October 17, 2008 through December 10, 2014.

And most important of all, once you have done your reading…take action. If you have not done a Risk Assessment and do not have a Privacy Policy and Security Plan that you use and review regularly, no matter how small you are, you are not compliant with HIPAA. If you have a plan but have not reviewed it recently, now is the time to do so! This just might come back to bite you at some time if something you do not expect occurs.

Please share your thoughts and experiences below…and be sure to read Part II next week.

 

Enjoy your holiday now . . . not when you get there!

I just wanted to quickly wish everyone a very happy holiday season. To those of you who have already been celebrating Hanukkah, sorry I missed extending a greeting. Same goes for you Solstice observers. Let the light shine!

To you Christmas celebrants, Merry Christmas….and Happy Kwanzaa to all of you who mark that holiday. This year, I took note of the winter Solstice, and my husband stated his desire to get out the Festivus pole.

The most important message I wanted to share with you is that I hope you will stop for a moment, take a deep breath, and enjoy just where you are right now. Your holidays consist of the whole experience inside you and around you, not just when you arrive at your family home and dive into the celebration. Lots has been written about Mindfulness and the manner in which it can add to our happiness. Perhaps you can use some of what you already know about mindfully experiencing this moment, and in doing so experience what your particular holiday is all about.

We wish for you a happy, healthy and prosperous 2015. But mostly, we wish for you to have awareness of as many of the moments of the end of this year and of the new one to come as you possibly may. And may they all be happy ones.

Email Overload: How to avoid email bankruptcy

Have you ever looked at the number of emails in your inbox and been tempted to just delete all of the old ones and start out fresh? Most employers would not appreciate this method of gaining control. There might be very important information in those emails. Even so, some folks would like to declare bankruptcy (email bankruptcy, that is) and just start over.

Every time I go away or even just take a couple of days off, I am amazed by the number of emails in my Inbox. I have used some of the suggestions I have read over the years, but still fall behind. I am not well-disciplined when it comes to following these simple ideas.

Here are a few suggestions taken from a couple of articles on this subject.

  1. Learn enough about the email application you use so that you can implement these ideas. If you just continue to do things as you have been doing them, nothing is likely to change. If you learn how your technology can help, you will likely be able to manage better. Gmail, Outlook, and Yahoo! Mail all have tools you can use.
  2. Filter your email into different folders, or at least use different tags or labels. In gmail, Google allows you to create multiple inboxes as well as an unlimited number of labels. I use things like ‘Blog ideas’, ‘CMS’, ‘HIPAA’, etc. I have hundreds of labels. The labels themselves are useless unless I also create filters to automatically tag each email that comes in with its appropriate label. In gmail, the steps are simple. With an email open, click on the ‘More’ button and select ‘Filter messages like these.” Walk through creating the rule for filtering these emails based on who they are from or words in the subject or in the email itself. You can even have things like newsletters that you receive daily skip your inbox altogether and go directly into their own folder waiting to be read when you have a few minutes.
  3. Limit how often you check email to once or twice, or maybe three times a day. Unless most of your business and work is connected to your email, do not keep it open all day. Limit the time you spend on email and work quickly through what you receive.
  4. Decide what you are going to do with each email you read and take that action. Reply, archive, delete, save in a folder. If you use GQueues as a task manager, you can even create a task and add it to your ToDo list directly from the email. Take a look at this video featuring Merlin Mann to get a good idea about how to implement these techniques.
  5. Sit down and start, but don’t expect yourself to clean out the Inbox all at once. Decide what your plan is and start to implement it. Then do a bit more each day.

Now that I have written these ideas down for you, I am motivated again to get my email cleaned up. The laptop will come home with me tonight so I can start the process of clearing my inbox. Who knows, maybe I will even delete some of those very old newsletters or headlines that could not possibly be of use to me ever again!

Do you have a system for managing email that works for you. Please share your ideas and comments below.

 

 

 

Mental Health Organizations Not Immune from HIPAA Fines

One of the most recent large HIPAA fines was placed upon a behavioral health organization just this month—Anchorage Community Mental Health Services.

BULLETIN: HIPAA Settlement Underscores the Vulnerability of Unpatched and Unsupported Software

Anchorage Community Mental Health Services (ACMHS) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule with the Department of Health and Human Services (HHS), Office for Civil Rights (OCR). ACMHS will pay $150,000 and adopt a corrective action plan to correct deficiencies in its HIPAA compliance program. ACMHS is a five-facility, nonprofit organization providing behavioral health care services to children, adults, and families in Anchorage, Alaska.

The problem: the organization reported a breach that affected over 2700 individuals. They had completed a risk assessment and developed policies in 2005; they had done almost nothing else since then.

OCR opened an investigation after receiving notification from ACMHS regarding a breach of unsecured electronic protected health information (ePHI) affecting 2,743 individuals due to malware compromising the security of its information technology resources. OCR’s investigation revealed that ACMHS had adopted sample Security Rule policies and procedures in 2005, but these were not followed. Moreover, the security incident was the direct result of ACMHS failing to identify and address basic risks, such as not regularly updating their IT resources with available patches and running outdated, unsupported software.

I read this and started wondering how many of our customers might be in the same boat. They went through the motions of taking a course on HIPAA security and privacy, adopted some sample policies that the trainer shared, and put it all in a file cabinet. You might be surprised to hear this, but that is not HIPAA compliance.

If some nightmare occurs, you experience a data breach and have to report to OCR, will they find the same thing in your organization? Are you still using unsupported software that is no longer updated for security by the manufacturer (like Windows XP)? Have you provided training on your policies and procedures to that new receptionist you hired? If you are a staff person reading this article, have you been trained on your organization’s HIPAA policies and procedures? Do you know what PHI is and what the consequences can be if that information is seen by someone else without their permission?

If you would like to share some of the things you and your organization have done to make sure that the information with which your clients have entrusted you is secure, please do so below. If you know you have not done enough, please read about doing a Security Risk Assessment and start remediating your situation. I cannot tell you how much we would hate to lose a customer who had to close up shop because of a large fine they could not pay. I know it could never happen to you. . .but just in case. . . .

 

Online Dating: Positive or negative for your behavioral health clients

I have friends who have met and married their spouses through online dating. You probably do too. The PewResearch Internet Project reports that

. . . one in ten Americans have used an online dating site or mobile dating app themselves, and many people now know someone else who uses online dating or who has found a spouse or long-term partner via online dating.

In fact Christian Rudder, the co-founder of OkCupid, a popular online dating site , wrote about the data his site gathered on people who are registered there. All of the data reported in his book, Dataclysm: Who we are (When We Think No One’s Looking), is anonymous and aggregated, so there is no data that can be identified as specific to any given individual. Rudder believes that online activity is changing how we behave, how we see ourselves…maybe even who we are.

So when I got an email this morning from Addiction Professional Magazine offering a free webinar entitled Falling in Love Through Technology: The Risks of Online Dating taught by Lori Jean Glass, Program Director at Five Sisters Ranch, I was intrigued. After all, it is certain that behavioral health clients are among the 10% of U.S. adults who are using online dating sites. This webinar is aimed at mental health and addiction professionals and will be held on Wednesday, December 17, 2014.

Learning Objectives

  • Discuss why online dating / relationship seeking may or may not be suited for their attachment style.
  • Assess how addictive personalities can ignite relapse with drugs and alcohol with on-line relationship hunting.
  • Recommend appropriate intervening tools for addictive online relationship challenges.

What do you think about online dating and relationships, for yourself or for your clients? Do you think there is risk involved? I hope some of you will register for the webinar and share your thoughts here.

Please enter your comments below.

Sharing Your Personal Health Data

A few weeks ago, I wrote about your personal health data and how much control you would like to have over it. I have been thinking about this question more recently.

This week, I attended a SATVA meeting during which we discussed our own responsibilities toward security and privacy of behavioral health patient data as software vendors. We also talked about the move of some of our customers toward using mobile Apps as treatment aids for their patients.

On November 6, 2014, FierceHealthIt newsletter published an article entitled Making the case for personal health data sharing. In it the author discussed what some people see as our “responsibility to help advance medicine by sharing our health data.” This article focuses on the value to the healthcare system and to public health of sharing de-identified healthcare data. The claim is that the compilation and analysis of all that data will enable the development of more effective ways of providing treatment, of evidence-based practices, and of improved care for everyone.

An article by Beth Seidenberg, M.D. in Wired magazine on 11/6/2014 argues strongly that we all ought to allow our data to be shared. You Should Share Your Health Data: Its Value Outweighs the Privacy Risk argues from the perspectives of public health, patients, providers, and entrepreneurs that sharing health data is crucial. “The author, Beth Seidenberg, M.D., is a general partner with Kleiner Perkins Caufield & Byers (@KPCB), focused on life science and digital health investing. Before joining the firm in 2005, she worked at a number of pharmaceutical businesses, mostly recently as chief medical officer at Amgen.” This author is a medical professional who has mostly worked on the entrepreneurial side of medicine rather than the patient care side.

My partner is a tech professional, a tech hobbyist and fitness buff. Several months ago, he purchased one of those personal fitness tracking devices which he wears all the time. I asked him recently what happens to the data his device gathers every day. He pulls the data off the device and into the App each morning. Garmin’s privacy policy says that they do not share the data, but he can share it with other Garmin users. There is currently no way for him to bring the data into HealthVault or send it to his physician. It is likely that HIPAA does not cover these devices.

In my opinion, we are currently in a time of rapid transition with few guidelines and safeguards. Those of you who are governed by HIPAA have certain constraints upon the data you gather from patients. If you are using an electronic medical record and if you have applied for stimulus funds to purchase that software, you will at some time be required to report certain de-identified data to the Centers for Disease Control or some other such bodies. You will be required by the law to make sure that data is private and secure, even as you report it.

But what about others who do not have such requirements? What about the Apples and the Microsofts and the Googles and all of the small vendors who collect a variety of health data? Do you want them to have your data? What do you want them to be allowed to do with it?

Please share your thoughts and comments below.

 

Patient Privacy in an Emergency: New HIPAA reminders

The recent events surrounding the arrival of Ebola inside the United States has prompted the Office of Civil Rights (OCR) at the department of Health and Human Services (HHS) to create a new document about HIPAA Privacy in Emergency Situations.

In light of the Ebola outbreak and other events, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), is providing this bulletin to ensure that HIPAA covered entities and their business associates are aware of the ways in which patient information may be shared under the HIPAA Privacy Rule in an emergency situation, and to serve as a reminder that the protections of the Privacy Rule are not set aside during an emergency.

The HIPAA Privacy Rule protects the privacy of patients’ health information (protected health information) but is balanced to ensure that appropriate uses and disclosures of the information still may be made when necessary to treat a patient, to protect the nation’s public health, and for other critical purposes.

In the months following Hurricane Katrina, HHS developed clear procedures and a decision tool for use in emergency situations. Having a clear plan of action in emergencies is part of the requirement placed upon Covered Entities and their Business Associates who are in possession of protected health information.

Behavioral Health providers are affected by hurricanes, snowstorms, floods and tornadoes, just like the rest of the residents and businesses in their communities; but as healthcare providers, we have additional concerns. Protecting our employees and our offices are only part of the picture. Protecting the privacy of our patients and the security of their records is another facet that must be considered.

Take a look at these new and revised documents when you get a chance . . . and let’s hope that we are not confronted with public health or environmental emergencies in the near future!

Implementing New Practices: Are you fast or slow?

After writing about telemental health last week, I found myself wondering what it will take to get practitioners to consider using remote connectivity with their clients as a regular way of providing treatment. Some of you seem to do this, but it appears that very few do so, in spite of developing evidence that treatment provided by Skype or other remote service can be just as effective as in-person treatment.

I noticed that this is not uncommon with all sorts of newer treatment modalities. In fact, Monica Oss in one of her recent articles for OpenMinds addresses just this:

These discussions are not that unusual in the world of behavioral health. In fact, implementing new research into practice—even interventions that have demonstrated efficacy and effectiveness—presents major challenges. It takes up to 20 years for new knowledge from clinical trials to be incorporated into practice (see Crossing the Quality Chasm: A New Health System for the 21st Century and Mental Health). A study of research adoption found that it took “17 years to turn 14 percent of original research findings to the benefit of patient care” (see From Science to Service: A Framework for the Transfer of Patient Safety Research into Practice and Clinical Research to Clinical Practice — Lost in Translation?). This situation means that in the intervening two decades that it takes for new discoveries to make their way to consumers, there is a lot of unnecessary human suffering and a lot of unnecessary cost.

When I practiced as a psychologist, I attended continuing education training regularly. When I came across new ideas, I tried to implement them in my practice. My move toward Cognitive Behavioral Therapy came after an extensive training in this modality. But try as I might, it was very difficult to maintain and continue to provide what I learned. The pull of clients to just talk about what is going on in their lives rather than to do something concrete about it was difficult to overcome. It is like entropy in any system; the tendency is to move back toward that which was initially learned. If a career lasts 30 – 40 years, it is possible that new evidence-based methods will be incorporated only once during a clinician’s lifetime.

What do you find in your own work? Are you an early adopter of new methods? Are you able to pull them off over the long-term, or are they just flashes in the pan?

Please share your comments and observations below.

Telemental Health: Is this your next way of providing services?

Back in another lifetime (the early 1980’s), I did a daily call-in psychology-oriented television show. As what I thought was a natural outgrowth of that experience, I did some training of other psychologists on connecting with clients remotely by video. At the time, there were not easy ways to do this, but I was sure they were just around the corner. It has taken 30 years, but now those methods are here and many of us use the technology regularly.

Skype, Google Hangouts, FaceTime and numerous other methods of connecting remotely with other people including voice and video transmissions have become part of the daily communication methods for many of us, especially young people who were raised with a smart phone in their hands. For some of those people, having contact with their therapist by such remote connection is natural and expected. For others, living in a rural location where the nearest mental health professional is far away, connection remotely may be crucial.

I recently noticed a post on LinkedIn wherein Dr. Steve Lower defined telemental health in the following way:

Telemental health utilizes live videoconferencing to provide regular appointments/interaction between mental health patients and physicians.

Medicare has begun to reimburse for telemental health services; Maryland Medicaid does so under certain conditions. Obviously, they are hoping to bring services to underserved locales. The easy availability of the technology has caused a huge spurt in the growth of this area. A Google search on the term ‘telemental health’ brought 54,900 hits.

Apparently, since my other articles on this topic, interest in this area has grown immensely. It is becoming much less the exception and more the rule.

At least one of our customers has recently talked about their expectation of growth using telemental health services. Where is your organization in the process of integrating these remote health services into your array? Do you see this as something you are ready to do? Do you already provide such services?

Please share your experiences, opinions and other comments below.

Doom for health insurers?

I wanted to do a very quick update on my article of two weeks ago when I talked about the health insurance industry.

This new article in FierceHealthPayer newsletter even more strongly reiterates the points made in that earlier article. Professor Jeffrey Pfeffer of Stanford University predicts “doom” for the health insurance industry. He believes that industry after industry from travel to publishing to finance have removed the intermediaries or “middlemen”. He thinks the health industry is on its way toward removing third-party payers—the middlemen—because they are so bloated and costly.

If the traditional business model for health insurers is following the dinosaurs, what’s the alternative? Pfeffer pointed to Kaiser Permanente, a healthcare provider that combines care delivery and insurance under one roof without a separate insurance middleman. This model saves money and lowers rates, Pfeffer wrote. As cost containment pressures build and more healthcare systems embrace “Kaiser-fication,” those who rely on intermediaries will find themselves at a competitive disadvantage, Pfeffer argued.

What is your take on this? Is it good for the healthcare industry to move away from third-party payers like insurance carriers? Where would behavioral healthcare providers wind up in such a change? How does the private practitioner continue to function? What happens to CMHCs?

Please share your comments below.

How much control do you want over your health data?

Ever since I began participating in meetings and discussions about electronic medical records about ten years ago, there have been multiple consistent messages.

  1. The costs of U.S. healthcare are unsustainable.
  2. For what we pay, we do not get proportionately better care.
  3. To control costs and properly spread risk, everyone must be part of the system.
  4. Electronic medical records are essential to this process because they are the only way for all treating providers to have all the relevant information about patients.
  5. The ability of EMRs to communicate with one another, either directly or through a ‘clearinghouse’, is the only way to make this benefit available.
  6. Electronic medical records are essential because they will collect huge amounts of data that will allow empirical observation of which treatments are effective for which patients, thus allowing the development of evidence-based treatment and cost-effective care for most people.
  7. and finally . . . The patient must control their health information.

That last item is one that has been central in behavioral health treatment settings. We have always worked under the assumption that behavioral health and substance abuse treatment must be absolutely confidential, with only the patient (or their designated guardian) able to allow providers access to that information. At the Community Mental Health Center at which I interned, it was drilled into us that we were not even allowed to acknowledge that a person was a client of the center. Even that information would reveal too much about the client. Mental illness and chemical dependency still carry considerable stigma. The same, of course, is true for others who have illnesses considered super-sensitive. The person being treated for AIDS is subject to a great deal of potential discrimination for their diagnosis, just as is the behavioral health or chemical dependency client. And what about a person infected with EBOLA?

A recent Executive Briefing from OpenMinds discusses this notion in their article “Do You Want ‘Granular’ Control Over Your Health Record?” Just how much control over your health record is enough for your personal and professional comfort?  It could certainly be problematic for an ER physician not to know that you are taking an antidepressant, or pain medication, or a cocktail of medications to treat some serious illness. If you are unconscious, that ER doctor can at least learn your prescriptions. But what happens when you don’t tell a urologist or other non-emergency specialist all of your medications?

What is your personal inclination regarding this kind of privacy? And what about for your patients? How far does privacy need to go?

Please share your comments below.

Health Insurance Industry: Where is it going?

I receive several healthcare industry newsletters each week. Most of them seem to assume that health insurance companies, as they exist today, are on their way out as the healthcare industry restructures. At the very least, these publications believe that our current ‘fee for service’ model is a dinosaur that will be extinct in the next ten years.

Some people think ACO’s (Affordable Care Organizations) will take the place of the health insurance industry. These are provider groups (including hospitals) who bear the risk for providing all care for a patient for a certain amount of money that is now paid by an insurance company or Medicare. They are expected to use lots of preventive care and to benefit from the large amount of data their electronic health records (EHRs) will gather to provide evidence-based care in a profitable way. Kaiser Permanente is the example of this kind of organization that many people refer to.

The logical extension of these arrangements is that the ACO would contract directly with an employer or group of employers on behalf of their employees cutting out the insurance company. This would be a kind of pre-paid health care where the ACO is on the line for providing best care and keeping members healthy.

Oh, wait….isn’t that what HMO’s were? You remember….Health Maintenance Organizations. In fact, I think Kaiser was long considered an HMO. It has certainly been a most successful one!

For myself, I am a fan of a single payer system…..like Medicare but for everyone…..with premiums paid by employers or from income taxes or in a variety of ways so everyone can be covered.

What models of funding healthcare do you see as possible and even likely? Do you think insurance companies are with us for the long-term? Where do you think behavioral health will fit in this ever-changing, rapidly evolving arena?

Please share your thoughts and comments below.

Dismantling Habitual Behavior

Since the middle of July, I have been involved in a yoga teacher training program that I have mentioned a few times in blog posts. During that entire process—the 20 days at the yoga institute and the six weeks between the two ten-day sessions—one of the primary focuses has been on our habitual behavior and how it keeps us from being who we really want to be.

The last time I wrote about habits, my article was a review of a book that aims to help us change habits. The methods suggested by the author, Charles Duhigg (The Power of Habit) are very effective at helping us alter habits which are no longer serving us. The approach presented is very logical and behaviorally focused, perfect for individuals and behavioral health professionals to use.

The mode of dismantling habitual behavior in yoga is just a bit different. Yoga practice utilizes the body, the breath, and energy as tools to bring us face-to-face with our habitual reactions, and then uses proper alignment, breath and internal focus (concentration and meditative awareness) to help us react in ways other than our usual, habitual ones.

For many of us, our habits are invisible. Even when others point them out to us, we have a hard time seeing them. We may even become defensive and insist that we do no such thing. For some of us, focusing on the energy tied up in that habit rather than on the habit itself is a more productive path. Becoming aware of our reactive patterns and using that awareness to become mindful of how the habit serves us or does not in our daily lives is one step toward change. Working directly with the energy we have invested in the habit—bypassing our thoughts, rationalizations and justifications for the behavior—can be an effective method of change for those of us who are expert rationalizers and justifiers.

Those of you who are body workers or have had experience with body work (massage, chiropractic, Thai massage, Rolfing, Reiki, Feldenkrais, etc.) know from your personal experience that the body holds a great deal of tension and energy that is connected to emotion. The first time I had a chiropractic adjustment, I cried all the way home—not because it hurt; it did NOT. I cried because I had been in pain for most of a year and the adjustment I received relieved that pain immediately. It also released lots of energy that I had tied up in that pain and in the muscles in my body that were trying to keep it from getting worse and were working hard to protect me from the pain. Releasing that energy makes it available for my use rather than my protection.

The same is true with energy I have tied up maintaining habit patterns that may no longer serve me. That energy can become available for my growth and for improving my health.

What methods have you learned for changing habits…your own or those of your clients? What has the effect been on your energy? Do you have experience with body work or with yoga that has resulted in behavior change?

Please share your experience and comments below.

Managing My Stress: No blog posts until September 30

In an effort to manage my stress levels more effectively, I today made an executive decision—I will take a brief break from blogging. I am getting ready to head to the second half of a yoga teacher training program on Friday. I will not return until September 21. I plan to do my next post on September 30.

Thanks to all of you who read my posts regularly. I appreciate your loyalty!

Fines as Motivators: How do they affect your actions?

I just reviewed two articles that talked about fines against providers for allegedly illegal behavior related to HIPAA and to the False Claims Act. I also just read an exchange of opinions and information on my state psychological association listserv about a Microsoft cloud service product and whether it is HIPAA compliant. As we deal with our customers on a day-to-day basis, I am amazed at the variation in response to possible breach of the law. Some state things like, “Oh HIPAA. I’m not worried about that stuff.” Others indicate opinions such as, “I would never use a Cloud backup program. It cannot possibly be secure!”

The HIPAA article was in an Open Minds newsletter and focused on the money-making potential of HIPAA. The gist of the article is that 2015 is expected to be a very big year for fines for breach of HIPAA requirements. The cases in OCR’s pipeline as well as the plan for HIPAA audits of providers, insurers and clearinghouses are likely to produce record fines. The advice in the article was similar to the advice given by one of the participants in the listserv discussion mentioned above: complete a comprehensive risk assessment for your organization. There are many tools and much guidance available on the CMS web site; the Indian Health Services also have a checklist for what should be in that risk assessment.

The second article I read this morning was about the False Claims Act and how it relates to certain aspects of the Affordable Care Act. The article discusses a Department of Justice and New York Attorney General’s lawsuit against a healthcare organization accused of failing to return Medicaid overpayments the organization allegedly had knowledge of. Apparently, ACA requires return of overpayments by government payers within 60 days of the provider’s awareness that such an overpayment was received. Additionally, the lawsuit is seeking to apply the False Claims Act to this failure to refund. If it is successful, the organization in question could owe treble damages along with the overpayments! That could be lots of money. Large provider organizations are carefully watching this lawsuit as the outcome could have profound and expensive effects on the industry. It could also save us taxpayers lots of money.

Given the wide range of opinions on laws and what they really require of us that we hear every day, I wonder what motivates your organization to get things right. Is it the threat of a fine that could put you out of business? Is it a threat to your license that could keep you from practicing your profession? Is it simply that we owe it to our patients to protect their information? Do you really not worry about such things? What motivates you to meet the requirements of the law? How does that relate to how you provide care?

Please share your comments below.

Perspectives on Stress: Is it all bad?

941737_598275593529458_351690808_n[The following is a guest post by Jeremy Peres. Jeremy is an Applied Biopsychology doctoral student at the University of New Orleans studying stress physiology and emotions. He is also Kathy and Seth’s nephew.]

 

Hello, SOS readers.  Thanks, Kathy, for giving me the opportunity to write this guest blog post.

I’m writing about something people experience on probably a daily or weekly basis throughout much of their lives: stress. It has shown itself to be a rather hot topic in mental health and medical research and clinical practice over the past 50+ years. From a biological perspective, stress responses (e.g., “fight or flight” responses) typically involve several changes within the body such as increasing heart rate, blood pressure, and the release of the hormone cortisol. The advantage of having such a response that maximizes strength, speed, and awareness is easy to understand when picturing, for example, a human fighting (or more likely running for his life from) a bear that he or she has come across in the forest.

From the psychological side, stress is typically equated with difficult situations that involve discomfort, negative emotions, and anxiety. This makes sense when applied to people in modern society because, though the same physical changes happen as in a fight or flight response, our stress usually does not come from this rare run-in with a bear in the wild that lasts just a few minutes. Rather, modern people experience stress when navigating long work hours, relationship conflicts, financial struggles, etc. and on top of that also experience that same stress just from worrying about work, relationships, finances, etc. even when they are not actually happening.

Rather than escape the bear and move on, our bear prefers to morph into these different modern stressors and follow us around for long periods. Research has shown that this chronic nature of our stress literally makes us sick by weakening our immune system and increases the chances of developing serious conditions such as heart disease and cancer. For a great popular book about this research, check out Robert Sapolsky’s Why Zebras Don’t Get Ulcers.

That’s a lot of bad news about stress. However, as early as the 1970’s, researchers differentiated between distress and eustress which implies a positive perception, such as in being motivated to complete a goal or enjoyable challenge. Regardless, this positive side of stress is often overlooked in large part. In my own reading and conference attendance over the past few years, stress is almost universally presented with a negative connotation, referring solely to the distress side of things. Sometimes research even seems to oversimplify these naturally occurring biological processes (e.g., elevated heart rate) by labeling larger stress responses as being “maladaptive” even if they are not necessarily longer. Additionally, there have been several programs and articles with the phrase “killer stress” (a quick google search shows several examples) in them that, while often showing some great research, tend to be a little overly dramatic and heavily skewed towards the negative.

It is not all bad news though. For one, there are many well-researched ways to reduce stress including meditation, deep-breathing, and relaxation techniques such as progressive muscle relaxation. Secondly, over the past year, I’ve been happy to come across a few different instances showing that there may be some resurgent interest in clarifying that stress is not always a bad thing. This makes me happy because I’m of the opinion that promoting the alarmist “killer stress” viewpoint might have a damaging effect. It not only oversimplifies the biological impact but also promotes an overly negative perspective of a process that is natural and arguably beneficial . . . as long as there is some opportunity for rest and relaxation in between periods of stress or challenge.

This great TED talk by Health Psychologist Kelly McGonigal talks about how she has changed her mind about making stress the enemy. She cites research showing an association between people simply believing that stress is harmful for your health and increased mortality rates. She also cites research by Jeremy Jamieson and colleagues showing that a simple instruction to participants to reframe their body’s arousal during a stressful public speaking task (as being a beneficial and normal process) decreased negative emotions and increased cardiac efficiency. That is, people are better able to overcome the stressful task in a more positive way cognitively and physically. Another study from this group similarly showed that this simple reframing helps socially anxious participants show less anxiety and perform better during the public speaking task.

Another point that Jamieson made at the end of this Psychology Today article talks about the limitations of the typical stress-reduction approach: “Lots of the advice out there for anxious people focuses on promoting relaxation techniques (deep breathing, etc.). These calming techniques are helpful in situations that do not require peak performance, but when gearing up for a speaking engagement reframing how we think about stress may be a better strategy.” Much of this might seem like common sense to behavioral-health professionals, reframing anything in a positive way is good…so what?  I think the important thing here is to just remember that, in light of all the gloomy press that stress receives, there is also a brighter side. And that is important to remember.

In addition to the general point that stress isn’t always bad, I very much like this idea that reframing stress in a positive or adaptive way may be a better strategy for overcoming a challenge (when relaxing and decreasing your heart rate isn’t exactly helpful). I think this perspective might be particularly important in the coming years with the increasing popularity of health-tracking wearable devices such as the Jawbone UP and the Fitbit devices. These types of devices tend to track lots of interesting data about sleep patterns, diet, and “activity” (through movement and/or heart rate). Some devices are now even tracking heart rate, skin temperature, and perspiration, basically acting as simplified and portable biofeedback devices. With more people than ever potentially having access to information showing these markers of physiological stress, it might be more important than ever to educate people that stress is complicated and being “stressed” is not so bad as long as you make stress your friend and find some time to relax now and then.

Please enter your comments below.

ICD-10 Implementation Rule Announced . . . Again

As most of you are aware, Congress this year passed a law which prohibited the Centers for Medicare and Medicaid Services (CMS) from implementing the ICD-10 prior to October 1, 2015. On 7/4/2014, the Office of the Secretary of Health and Human Services (HHS) published a notice in the Federal Register changing the required implementation date from October 1, 2014 to October 1, 2015.

For many of you, this change is of minimal importance. If your software product is ready to go, as is SOS Office Manager, then so are you. For some of you, that is not the case.

Any behavioral health organization who does not have a clinician or a staff person trained to code using ICD-10 codes rather than ICD-9 codes, should begin to explore what education should occur prior to October 1, 2015. CMS has an entire portion of their web site devoted to information and tools that all organizations may use free of charge to prepare for ICD-10 implementation. There are resources including documents and videos and tools aimed at developing and implementing a plan of action. There are links to the General Equivalency Mappings (GEMs) for 2014 and 2015. There is every bit of information an organization could possibly need to make this transition.

Please don’t be caught off-guard. The new deadline is 14 months away. If your current staff are all trained and prepared, but half of them leave before October 2015, you will need to re-train. If you are now using DSM5 codes and do not understand the relationship between DSM and ICD10, you will need to clarify this information, for yourself and your staff.

Just subscribe to the ICD-10 info notices from CMS and you will be able to stay on top of any information and changes as they occur!

Teleheath, eHealth, and Outsourcing: Where are we going?

When the number of articles coming through my inbox converge on a topic, I usually decide it is time to write about it. Three articles about telehealth and e-health appeared today. Another dropped into my inbox at the beginning of July. What is this about and what does it have to do with behavioral health organizations and practices?

As you are undoubtedly aware, what happens in the broader healthcare community often follows in the behavioral health world. Sometimes behavioral health leads the way with innovations; at other times it merely follows. Telehealth is one arena where I think behavioral health has been in the vanguard.

I would like to start with three simple definitions:

  1. Telehealth is the use of electronic information and telecommunications technologies to support long-distance clinical health care, patient and professional health-related education, public health and health administration. (from hrsa.gov/telehealth)
  2. eHealth (also written e-health) is a relatively recent term for healthcare practice supported by electronic processes and communication, dating back to at least 1999.[1] Usage of the term varies: some would argue it is interchangeable with health informatics with a broad definition covering electronic/digital processes in health[2] while others use it in the narrower sense of healthcare practice using the Internet. (from Wikipedia)
  3. In business, outsourcing is the contracting out of a business process to a third-party. The term “outsourcing” became popular in the United States near the turn of the 21st century. . . Outsourcing includes both foreign and domestic contracting,[3] and sometimes includes offshoring or relocating a business function to another country.[4] Financial savings from lower international labor rates is a big motivation for outsourcing/offshoring. (from Wikipedia)

 

I have included these three terms together because outsourcing often goes with the capability of using electronic devices and various telecommunications methods. Certainly, most of us have some experience of receiving customer service assistance from somewhere half way around the world from our homes. I am wondering if the same will be true as we move toward increasing the use of telehealth and ehealth methods in our healthcare system.

Two of the three articles I saw today related to general healthcare. FierceHealthIT newsletter contained two articles about the potential benefits of electronic doctor visits and telemedicine. With pressure on insurance payers and employers to provide healthcare services at lower cost than currently, we can expect all sorts of innovations. The capability of ‘seeing’ patients remotely is one of those possible innovations.

But what about behavioral health? And what does outsourcing have to do with any of this?

In yesterday’s Open Minds daily briefing, Monica Oss discussed telehealth and how it is beginning to spread in the behavioral health world. With Medicare now willing to pay for telehealth services that meet certain criteria, this possibility has become more likely. In behavioral health, telephone contact with clients has been a long-time staple in helping clients remain stable. Now that Skype and other visual telecommunications capabilities exist, a whole new industry has developed . . . and many existing organizations have added ways to include remote psychotherapy and follow-up sessions in the repertoire of their organizations. SAMHSA and HRSA have pioneered projects and pilot programs to foster such development, especially into rural communities.

Where there is remote capability to provide services, outsourcing is not far behind. If it can be done more cheaply by using resources outside the U.S., businesses will find ways to do it. While licensing and practice laws may currently stand in the way of too much outsourcing, you can be sure that it will come.

How does any of this affect your behavioral health organization? Our experience with our customers suggests that change occurs very slowly within their organizations.

As those of us who are more senior slow down our participation and eventually retire, resistance to paradigmatic change reduces. As younger people who are perfectly comfortable with all things electronic move into the professional arena, newer technologies are successfully introduced. Where is your organization in this process? Do you see groundbreaking changes ready to happen? Or is your organization one of those holding onto the older ways at all costs?

Please share your opinions and experience with telehealth services and where you see it going. And what about outsourcing? Just click in the Comment box below to share your thinking.

Brain Training: What is it and does it work?

In July, I spent ten days at an ashram taking an immersion program in preparation for yoga teacher training. In this particular tradition, the teacher is provided with a script that must be memorized prior to certification. The program is structured to maximize learning the script, but I have found myself stressed to my utmost in my efforts to memorize this sequence of 29 postures and the two paragraphs of instructions that go with each one.

Memorization has never been my favorite type of learning. It is good that I did not need to memorize too much to complete my Ph.D. Comprehension is my strong suit. I am great with concepts…learning and expressing them. I am not so good with word-for-word memorization. As a student, I did this by repetition and rehearsal. I did oratory and debate in high school and, with lots of work, I was able to memorize my speeches when appropriate. Besides, I had written them, so they were my thoughts and words. Memorizing my lines in a play was always harder. Memorizing lists of terms and their definitions was my least favorite, but usually successfully done task.

Then my brain aged. Thank goodness for that; it certainly beats the alternative. However, the aging of my brain has manifested itself most obviously in struggles with remembering things. I use a reminder app on my telephone for day-to-day things, and it is very effective. I use a calendar with alarms for appointments. I do not usually miss things I have scheduled or reminded myself to do. But memorizing a large number of someone else’s words is proving to be very difficult for me.

In June, Monica Oss of Open Minds wrote an article summarizing some of the presentations and discussion at their June 2014 conference Technology for Better Brains: The Rise of New Treatments Based on Brain Science Innovation. The presenters were from Neuronetics, providers of Neurostar TMS Therapy® (Transcranial Magnetic Stimulation) and the Center for Life Management, an organization that uses this system; Brain Resources, Inc., a company that markets assessments and brain training tools; and Posit Science, the developers of brainHQ. Obviously, these individuals are all selling something, so I would want to know a bit more about the science before I buy.

In February, we had a visitor who had a concussion last Fall. She is a physician in her late 50’s who was told to rest her brain entirely to allow it to heal and recover. After a couple of months of rest, she was allowed to begin some brain rehabilitation. Now, she does brain exercises daily at a website called lumosity.com. She has found them to be most helpful. I take this first hand experience seriously coming from a physician who does not have a vested interest in the process.

I have not yet signed up for their program or any of the others, but I am very curious. I wonder what experience and information any of you have about these systems. I know we have neuropsychologists who read this blog. What is your take on brain training? Does the science support the sales? My ailing memory wants to know!

Please share any information or experience you might have with any brain training systems or with Transcranial Magnetic Stimulation. Just enter your comments below.