Category: SOS Blog

I just re-read an email newsletter by Monica Oss of Open Minds asking the question: “Who Owns Patient Records?“. The answer to this question varies from state to state, with some locales not having clear statutory requirements. In Florida, the provider owns the record but must provide a copy of it if the patient requests it. In fact, the HIPAA privacy standards make it very clear that the provider is responsible for sharing records with a patient (making copies) if a patient so requests. One of the major exceptions to this requirement is psychotherapy notes, which the behavioral health provider is not responsible to share with the patient and must not share with anyone else (like an insurance company) without the patient’s specific permission.

This matter is complicated when a provider uses an Electronic Medical Record (EMR) that is hosted by a software company. Why should that matter, you ask. Well, in the case of the hosted product, the software resides on the company’s servers, not on the provider’s computer. The provider pays to use the software; they don’t own anything. Unless the provider prints everything out, they do not really have possession of a record; the software company does.

What happens when they decide to go to another software program? The first company may be willing to provide them with reports and printouts of their records, but getting that into a new program can be a challenge. And if the old company is willing to work with the new one to transfer the data, the process can be very time-consuming and costly…and some companies won’t even do it.

And if the EMR is free, the provider may be agreeing to share some of the data they enter so the software company can sell it to other companies…all within the confines of their role as a Business Associate, of course. You do have a BAA with the software company, right? And of course, you have a good contract that you have read and understood before you signed it, right?

Hmmm…..this ownership question is complicated.

Please share your comments below.

I don’t know about you, but I have been reading everywhere I turn about the shortcomings and failures of healthcare.gov, the website created by HHS to serve as the health insurance exchanges for over half the states. The site was overwhelmed by the number of people who attempted to access it in the first days. The method of requiring the potential customer to create an account before they could even look at prices in their state, and the bottleneck that requirement caused meant that people could not get anywhere. Each time they tried anew, they were required to re-enter their information and still got nowhere. Many people were very frustrated.

President Obama has called for a ‘tech surge‘ including the assistance of heavy hitters from government and private sources. And now members of Congress are calling for investigations into who in the administration is to blame. The strong undercurrent in each of the articles I have read is that here we have yet another example of government ineptitude.

But is that what we have? After all, this entire project was contracted to a huge private corporation who had an open-ended contract to provide a mission-critical product for HHS. They failed, and now they are being paid even more money to fix their mess. Here’s one more example of private corporations fleecing the American taxpayer.

But wait, aren’t private corporations by definition more effective and efficient than the government? That is a story we have all been sold for the past forty years. Privatize! Private companies can always do it better…by definition!

According to Joshua Holland and Moyers & Company, that is anything but the case. Government has been so downsized since Reagan, Bush, Clinton and Bush, that it does not have the resources to even oversee these huge contracts; so when they go awry, there is no one there to get them back on track.

I don’t think large government is our problem; I think out of control private contractors and their cronies in the administration and in Congress are.

 

 

You know all that work you have been doing to make your organization HIPAA compliant? You have been tuning up your privacy and security practices in order to keep safe the protected health information (PHI) of your clients.

Good job…but not good enough!

In spite of the efforts of healthcare organizations and providers of all stripes to secure the PHI of their patients, Medical Identity Theft and resulting fraud is dramatically on the rise. According to ID Experts’ Data Breach Examiner,

In the last year, medical identity theft has affected 1.84 million Americans, costing victims an estimated $12.3 billion in out-of-pocket expenses. . . . Medical identity fraud is estimated to cost the healthcare industry almost $40 billion annually, driving up the cost of healthcare for everyone.

Do you know someone who has allowed another person to use their Health Insurance card and ID? Maybe your friend who has insurance let her sister who did not use her card. Or possibly, your wallet was stolen and you noticed an EOB on your payer’s web site that was for services you never received.

Breaches are not the only way data finds its way into the hands of someone who does not own it. According to ID Experts, its all in the family.

 More than half the survey respondents said they would find another provider if they knew their healthcare organization could not safeguard their medical records. Yet 30 percent of those surveyed also reported that they knowingly allowed a family member to use their personal identification to obtain medical treatment, healthcare products, or pharmaceuticals, and more than 20 percent couldn’t even remember how many times they had shared their healthcare credentials. Even in cases where medical identity was stolen, 48 percent said they knew the thief (typically a family member) and didn’t want to report him or her.

Not only does this cost money, it also contaminates the medical record of the individual increasing the danger of misdiagnosis and improper prescriptions.

Perhaps you have never experienced this in your behavioral health organization. Perhaps you have and have many stories to tell. I know I was certainly asked to do some fraudulent insurance activities when I was in private practice.

Have you or your organization experienced someone falsely using another person’s medical identity? How did you handle it? Please share your comments below.

 

On September 23, 2013, the HIPAA Omnibus Rules became effective. You can read the detail of the process and get huge amounts of information from the HHS web site; you can read the entire Rule as published in the Federal Register. But if you are strapped for time and you want to be sure you and your organization have done everything you need to do to meet the requirements of the rule, you can take a look at an excellent summary published by the Godfrey Kahn Law Firm of Wisconsin that was published in March. There are many such summaries around and you definitely should take a look at one of them if you are the Privacy Officer for your organization. I know that many organizations have not done even the basics of updating their Notice of Privacy Practices or updating their Business Associate Agreement (BAA) . . . you do have those, right?

Keeping the protected health information (PHI) of your clients secure and private is a significant responsibility, especially the sensitive information of behavioral health clients. I hope you have taken these changes seriously.

Please share your comments below.

My first article on telehealth services in mental health was in February 2009. Since that time, I have written about this subject on multiple occasions. It has seemed natural to many of us that some mental health services could be appropriately provided using services like Skype.

This area is very much open for debate, but in Oklahoma, a doctor has been sanctioned for mental health services he provided remotely. Investigative Reporter Andrew Knittle reported on NewsOK that Dr. Thomas Trow was disciplined because he prescribed controlled substances for a patient he had never met face-to-face (his nurse was with the patient and present during the remote session), the patient overdosed multiple times, and the patient ultimately died. Joseph Kvedar, M.D. re-reported this story and his comments in the cHealth Blog after he was invited to comment in WBUR’s Common Health blog. Dr. Kvedar wrote the following as part of his contribution:

The Medical Board of the state of Oklahoma recently sanctioned a physician for using Skype to conduct patient visits. A number of other factors add color to the board’s action, including that the physician was prescribing controlled substances as a result of these visits and that one of his patients died. This situation brings up several challenges of telehealth — that is, using technology to care for patients when doctor and patient are not face-to-face.

• Legal/regulatory: On the legal side, physicians are bound by medical regulations set by each state. It appears that the use of Skype is not permitted for patient care in Oklahoma.

• Privacy/security: Skype says its technology is encrypted, which means that you should not be able to eavesdrop on a Skype call. That would seem to protect patient privacy.

At Partners HealthCare, we ask patients to sign consent before participating in a ‘virtual video’ visit. Because this is a new way of providing care, we feel it’s best to inform our patients of the very small risk that their video-based call could be intercepted. I don’t know if the Oklahoma physician was using informed consent or not.

But the most interesting aspects of this case involve the question of quality of care. Can a Skype call substitute for an in-person visit? Under what circumstances?

While Dr. Kvedar brings up additional interesting points in his discussion, I think the three listed above are crucial.

1. What is the state law where you are working? If the patient is in another state, what is the law in that state? Which state’s laws govern the interaction?
2. Is the method you are using for your session secure? Does the patient understand that it might not be so?
3. Can you provide quality care remotely? Is this a new patient you have never met face-to-face or is this follow-up care with an already established patient?

Has your organization begun using remote sessions to provide behavioral health services? How do you do this? How do you handle the privacy/security issues? How do you assure that the quality of the patient’s care remains high?

Please share your comments below.