This email landed in the MBA HealthGroup inbox today. It's the beginning of many security and privacy upgrades that the HIT industry must comply with as a part of the HITECH Act. The most important part of this proposal is that any patient information would be rendered unusable in the hands of any unauthorized user. If you are interested in commenting on the proposed changes, you can do so here: www.hhs.gov/ocr/privacy
On Friday, April 17, 2009, The U.S. Department of Health and Human Services (HHS) issued guidance specifying the technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals, as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act passed as part of American Recovery and Reinvestment Act of 2009 (ARRA). This guidance was developed through a joint effort by the HHS Office for Civil Rights (OCR), Office of the National Coordinator for Health Information Technology (ONC), and Centers for Medicare and Medicaid Services (CMS).
This guidance relates to two forthcoming breach notification regulations – one to be issued by HHS for covered entities and their business associates under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Sec. 13402 of HITECH) and one to be issued by the Federal Trade Commission (FTC) for vendors of personal health records and other non-HIPAA covered entities (Sec. 13407 of HITECH). HITECH requires these regulations to be published within 180 days of enactment. If the entities subject to the regulations apply the technologies and methodologies specified in the guidance to secure information, they will not be required to provide the notifications required by the regulations in the event the information is breached.
In addition to this guidance, HHS has also concurrently issued a request for information (RFI) soliciting public comment on the breach notification provisions of the HITECH Act to inform future rulemaking and updates to the guidance. The guidance and RFI is available at www.hhs.gov/ocr/privacy. Once published in the Federal Register, the guidance and RFI will also be available for public comment at www.regulations.gov.
Taking steps to combat identity theft, the Federal Trade Commission (FTC) issued a final rule in November of 2007 which mandates all financial institutions and “creditors” to develop and implement identity theft prevention programs, as part of the Fair and Accurate Credit Transactions (FACT) Act of 2003. Originally set to be in place by November 1, 2008, the FTC announced the new compliance deadline to be May 1, 2009.
The problem of course is that physicians are rarely creditors.
Under the FTC’s extremely broad definition of a “creditor”, physicians are included and must adhere to this compliance date; taking immediate steps which will be financially burdensome for most hospitals and private practices. According to MedPage Today, in a survey of 100 hospitals, 91 said they would have to spend over $10,000 to comply with the Red Flags Rule. Any failure to comply with this new rule would warrant $2,500 per violation.Physicians are “creditors”? If you disagree with that then you are not alone. The American Medical Association (AMA) along with over 100 undersigned medical organizations has written a letter to the chairman of the FTC, respectfully disagreeing with the FTC staff’s conclusion that physicians are “creditors” and must be in compliance with act by May 1st, 2009. The letter also argues that the FTC failed to comply with the Administrative Procedure Act (APA), which requires the FTC to provide the public with notice and the opportunity to comment. Also, this new compliance duplicates much of the preexisting Health Insurance Portability and Accountability Act (HIPAA) compliance that all medical organizations are currently required to follow by law.
A large majority of physicians and managers are not aware of the law itself, let alone the implications it may have on their organization.
5. Not setting a realistic time line to launch your new practice. Whether a physician is finishing up their residency, or deciding to leave a hospital or group practice, they rarely ever give themselves enough time to start a practice the right way. Many times it's a "I need to get up and running ASAP, maybe next month if I can". Unfortunately it isn't that easy. When starting a practice you have to take into account time to get credentialed for your new practice, time to find a staff, time to implement systems, time to find real estate. Be flexible with deadlines and unexpected delays.
4. Not knowing the financials. There aren't many physicians that have a boatload of cash to spend after their residency, so most end up getting business loans from a bank. We don't necessarily recommend writing a business plan for every practice, but we always make sure the financial plan and proforma is adequately constructed. Make sure you have conservative 3 year projections and a line of credit that will cover you for the first 3 months even if you don't generate any revenue. Remember, insurance carriers don't always pay you instantly, sometimes it takes months. It also never hurts to have best and worse case scenarios in your proforma just so you know what you'll need to do if you don't get as many patients from the start as you expected. To calculate revenue, determine your expected payor mix and use the carrier websites to see if they post what they pay for specific office visits and procedures. Leave no stone unturned, estimate the cost of EVERYTHING down to the magazines in the waiting room.
3. Hiring the wrong people! Recruiting and hiring is a skill. Get help to ensure you bring in highly motivated staff that are as invested as you are. If you're going to be in a fast paced practice, hire staff that can keep up with you. Hiring the wrong people can be extremely expensive considering how much you will invest in them to learn your IT systems, equipment, and workflow processes.
2. Choosing the wrong EHR/PM for your practice. If you aren't familiar with health information technology, good luck acclimating to the ever-changing and complicated environment. There are over 300 EHR/PM vendors out there and 95% of them are NOT right for you. You can also expect a good number of those vendors to be acquired, go out of business, or not be able to support you in a way that works for you. Right now the safe bet is to start on http://www.cchit.org/, which is the only EHR certification board out there, and look at which vendors are certified. While there are some incredible EHRs out there that haven't been certified, the HITECH stimulus package is promising incentives for only "certified" products. Always choose the EHR first, and then make your Practice Management system decision.
1. Not asking for help from someone who knows business. Let's face it, medical school is just not geared around teaching physicians how to start a medical practice. The majority of physicians also don't have the time to sit down and read books on how to start a practice in the hopes that it will actually guide them to success. This is a process with a million variables that requires expertise. At the very least, talk to family and friends that know business. In an ideal situation, you'd bring in an expert to help you with starting your own practice (read: 9 steps to Successfully Starting a Medical Practice). In the long run, the investment on the upfront expertise will not only save you time, money, and possible heartache, but it will generate more money than you could have without consulting with an expert.