September 17, 2012

HIPAA Grows Teeth II

You could be forgiven for thinking that the seminal law underpinning U.S. healthcare reform has been aggressively enforced. Alas, most within the healthcare industry have wondered when the federal government would begin taking HIPAA's most blatent offenders to the woodshed. If ever. But action this week by the HHS Office for Civil Rights suggests that the government may begin pursuing violations in earnest.

HHS has announced that Massachusetts Eye and Ear Infirmary (MEEI) and its physician group, Massachusetts Eye and Ear Associates, agreed to pay $1.5 million to settle HIPAA security-rule violations. The case involves the theft of a laptop computer storing 3,621 patient records, and HHS' allegation that MEEI and the physicians not only failed to secure data on the laptop but also failed to comply with other HIPAA security requirements. According to the Office for Civil Rights brief, MEEI failed to execute “thorough analysis of the risk to the confidentiality” of provate patient information stored on the laptop and had not adopted and implemented "policies and procedures to restrict access to ePHI [electronic protected health information] to authorized users of portable devices.”

The initial installment of $500,000 is set to be paid to the government on October 15, with two subsequent payments scheduled through 2014. The offenders will also have to submit to independent monitoring of a "corrective action plan" twice a year for three years. Read the Resolution Agreement here.

Time to lock down that patient data, folks. And maybe download free open source encryption software for those laptops while you're thinking about it.

June 30, 2012

Population Healthcare Is Health Reform

Michael Christopher
Chief Chigger, CarePrecise Technology

We have heard many people say that the Affordable Care Act is not health reform, but an attempt at health insurance reform. But a broad shift in the focus and delivery of healthcare has begun, shaped in part by the ACA, and poised to bring significant change to American healthcare. At the heart of that change is population-based healthcare.

"With the Supreme Court upholding the ACA, we all now understand that population healthcare is what we're all going to be doing going forward," says Dr. Steven Davidson, senior vice president and chief medical informatics officer for New York's Maimonides Medical Center in a June 28 Modern Healthcare article. What is "population healthcare," what does it have to do with the Affordable Care Act, and what does it mean to industry vendors?

The term refers to "the ability to assess the health needs of a specific population; implement and evaluate interventions to improve the health of that population; and provide care for individual patients in the context of the culture, health status, and health needs of the populations" according to the Association of American Medical Colleges. Population healthcare is a broadening of focus to see beyond the individual patient to the broad context of that patient's health issues, and to understand the issues of the patient's population to better serve both the individual patient and broader communities of patients.

This perspective becomes ever more critical when cost efficiencies are taken seriously into account, as they must be in an "affordable care" paradigm. In a Tufts Managed Care Institute's white paper on population health, we find
"Population-based care involves a new way of seeing the masses of individuals seeking health care. It is a way of looking at patients not just as individuals but as members of groups with shared health care needs. This approach does not detract from individuality but rather adds another dimension, as individuals benefit from the guidelines developed for the populations to which they belong.* Members with a particular disease must be prioritized so that disease management interventions are targeted toward those members most likely to  cost-effectively benefit.**"
The Affordable Care Act package as it now stands places the emphasis on results, rather than on specific means to obtain results. Despite what has been said by opponents, providers are given wide freedom in achieving improved quality and reach of care, and are provided with new resources, such as advanced electronic health records, paid for in part by the taxpayer. Population healthcare is a strategy for deploying these resources and creative latitudes, in a package of practical tactics and achievable objectives, and at scale.

When viewed through the lens of health reform's quality focus, public health data collection and bringing the technologies that enable collection to every point of care, population healthcare is seen as a key - if not the key - strategy for both implementing the provider side of health reform, and rewiring its financial backbone of health insurance.

* Boland P., editor. Redesigning Heath Care
Delivery. Boland Health Care, Berkeley,
1996. pp. 159-163.
** Zeich R. Patient identification as a key to
population health management. New
Medicine. 1998;2:109-116.

June 29, 2012

Now We Know: Time to implement the Affordable Care Act

As the Tennessee Medical Association puts it, there is now a "certain finality" to the Affordable Care Act following the Supreme Court decision upholding the law. A huge win for the Obama administration, the decision yesterday was like kicking a hornet's nest among conservatives. The Christian Medical Association said the decision "sounds an alarm across the country to people with faith-based and pro-life convictions" and called on Congress to repeal the law.

An article in Modern Physician characterizes the response among physicians as "mixed," but the vast majority of our MD, DO, PA and RN contacts have come down strongly in favor of the law, in one case saying "The government did something right... 50 million healthier Americans is going to look pretty good here in a few years."

Whichever political side one is on, it is now clear that work can move forward on implementing the law. The Tennessee Medical Association's statement concluded "Today's decision allows us to make more definitive plans regarding reforms to our healthcare system in Tennessee." The sentiment seems to be fairly widespread through the provider side of the industry.

Some states - among them our own Oklahoma - elected to refuse federal funding ($54 million in Oklahoma's case) to establish health insurance exchanges. The decision, taken on the part of Governor Mary Fallin, appears to have been politically motivated, but Oklahoma is, in fact, developing an exchange, without the federal dollars. An agency head, speaking with an Oklahoma radio station, said "It would have been good to have the money, so we could have a more user friendly and effective system, but we'll have something, anyway."

The justices struck down provisions in the law that would empower the federal government to force states to comply with the planned Medicaid expansion or lose all of their Medicaid funding. Now states will be eligible for basic Medicare funding even if they choose not to accept the additional dollars to provide expanded care. Numerous states have sworn to refuse expanded Medicaid funding, but it remains to be seen whether any will ultimately deny this added coverage for hundreds of thousands of their citizens. The federal dollars are being offered with no required match for three years. Medicaid is often one of the biggest lines in states' budgets, and that share is growing as healthcare costs continue to rise.

June 6, 2012

Medical Data Breaches Unnecessary

The problem of breaches involving healthcare data is getting worse, not better. As more medical information is stored electronically, the risk of unauthorized access grows. But a significant portion of the risk could be reduced to near zero if the primary users of the data - practitioners, healthcare information technology staff and contractors, administrative staff - would take one simple step. One simple and completely free step. Really; it costs nothing, and places nearly zero burden on the user.

We made this same recommendation about six years ago, when reports of stolen laptops first began coming in. But it seems as though no one in the industry has applied our simple fix. In January of 2012, a contractor copied the records of 34,000 patients of Howard University Hospital, containing SSNs, birthdates, and diagnosis-related information, onto a laptop. The data was not encrypted; the laptop, of course, was stolen from the contractor's car. This same scenario has been reported numerous times. Data, laptop, car, repeat.

Last month, federal prosecutors charged a worker at the same hospital with selling hospital data. She's set for a plea hearing on June 12. Clearly, this is a different situation, and would not have been mitigated by encrypting the data, since the worker was entrusted with full access. But you can be sure that Howard University Hospital wishes that the stolen laptop had not preceded this incident. Patients and regulators are rightly outraged.

Simply put, had the data been stored on an encrypted drive partition on those laptops, it would have been safe from prying eyes. How difficult is it to do that? If a free, open source program like TrueCrypt is installed on the computer, it's as easy as typing in a password to open the protected drive, copying the data onto it, and using the data just as though it were on any ordinary drive. After so many minutes of idleness, or when the computer sleeps, hibernates or is shut down, the program can be set to close the protected drive, rendering its contents completely unusable until the password is given again.

Along with encryption, passwords must be strong, which means hard to guess. But they don't have to be hard to remember and type. A good rule is to have 20 or more characters, but a simple phrase can be easy to remember. Stop thinking pass word, and think pass phrase instead. Here's an extremely strong password: Theylike2bheld/theseKitties ("they like to be held, these kitties"). Easy to remember and type, but it has upper and lower case letters, a numeral and a punctuation character, and totals 27 characters in all. That's one strong password. It works in TrueCrypt and virtually all other encryption programs. And it even has kittens!

Some encryption software, including TrueCrypt, offer an additional important feature.  Let's say you are carrying extremely valuable data, being mugged, and are forced to enter your password to start the computer. Let's go so far as to say that the mugger is savvy enough to search the computer for an encrypted file, and finds it. TrueCrypt actually lets you use a different password when you mount the protected drive, which opens a phony data trove on which you've stored some bogus data. Plausible deniability saves you and your data.

There is simply no reason not to require all staff members and contractors to use encryption for all medical and other personal data. Essentially zero ownership cost, and it doesn't slow anybody down. No excuses.

Encryption and strong passwords. Take these two pills and sleep better tonight.

TrueCrypt is a free open source project, available at

May 7, 2012

Download the Health Plan Database

CarePrecise announced today the release of a new health plan database product. Containing nearly 3,900 health plan records and more than 600 health insurance companies' names, addresses, phones and email addresses, the CarePrecise Health Plan Database offers the most recently updated information available on U.S. health plans.

The initial product offering is a straightforward, downloadable, virtually unlimited use* database, priced at $199.00. Future expansion of the health plan data project will see the addition of normalized components such as health plan contract details, county coverage, exhaustive provider network connections, and a Spanish language option.

Uses for the database include research, data hygiene projects and marketing applications.

*Review the product EULA here.

The Sunshine List

As lawmakers continue to push CMS to implement the Physician Payments Sunshine Act, and CMS mildly demurs out of concern that drug and equipment manufacturers won't be able to comply any time soon, CarePrecise has been busy getting prepared for a run on the databank.

As most of the players are beginning to realize, an accurate and up-to-date source of provider information will be a necessity in reporting payments properly. The CarePrecise master provider list contains all the hooks required to positively identify specific providers, and connects provider licensing and NPI numbers to such pertinent information as PECOS enrollment, Medicare billing eligibility, and the Office of Inspector General's excluded providers database. The current version of the CarePrecise Access Complete database identifies multiple providers practicing at a single location, using super-conformed location coding.

Sunshine Incoming

CarePrecise can process incoming lists of payments to providers using the advanced record-linking technology we use to build our master databases. Whether companies have NPI numbers or not, our system can use other data to identify payees.

CarePrecise data is already in use is installations where states have various types of Sunshine laws in place, and where organizations are preparing for the federal act to take effect. When we can all finally see who's paying what to whom (to whatever extent that will be truly possible), CarePrecise data will be part of this vital next step in controlling healthcare costs and abuses of influence.

April 25, 2012

ICD-10 Selling Coding Systems

Are those coders in the basement about to see their pink slips? Maybe so, within the coming two years, as roughly half of inpatient providers say they expect to buy automated coding solutions over the next one to two years.

According to a new report released by KLAS Research, many healthcare providers are seriously considering purchases of inpatient computer-assisted coding (CAC) systems during the coming 24 months, despite the ICD-10 deadline delay to a recently proposed date of October 1, 2014.

Providers say that encoder/grouper integration is particularly important. 73% of providers reported that they are considering 3M, which currently holds a 50% market share and three quarters of the inpatient encoder market.  OptumInsight and Dolbey have also generated strong interest among providers.

Interest in CAC is being driven by concerns about the productivity impact that ICD-10 will have on providers' practices in both outpatient and inpatient settings. The transition to ICD-10 cranks up the number of diagnostic codes to 68,000 from 13,000 in the ICD-9 code set. Codes for inpatient procedures will shoot from 11,000 to 87,000 codes.

April 24, 2012

Hurry Up, Sunshine

Senators Chuck Grassly (R-IA) and Herb Kohl (D-WI), authors of the Physician Payments Sunshine Act, are pushing for CMS to get its final implementation rule out the door. Once the rule is published, the process of collecting data on financial transactions between doctors and industry vendors can start. Six months after CMS missed the October 1, 2011 statutory deadline, the senators expressed their displeasure with the agency's slow movement.

After missing the implementation date, CMS again missed a March 31, 2012 start date for the 1,150+ drug, device, biologics and medical supplies manufacturers to report all "transfers of value" given to physicians and teaching hospitals.

The Sunshine Act, as it is nicknamed, is designed to bring transparency to physician interactions with revenue sources that may unduly influence decisions regarding patient care. While such sources as manufacturers' payments for research are vital to healthcare technology development, patients should know when (and what for) large sums of money are attached to their doctors' treatment decisions.

Proposed implementation, published December 19, is available online.

March 28, 2012

5,000th Application Milestone

In April, 2012, CarePrecise will celebrate having built and released our 5,000th database application and version release! Actually, we will have released 5,049 (and maybe more) separate software applications, including state-by-state NPIdentify Desktop apps, CarePrecise Access sets, customized CarePrecise Select sets, CP ListMaker version upgrades, custom applications, and specialized MEDICAlistings marketing lists. In all, we will have distributed software and datasets representing nearly a terrabyte of data and code since 2008. We're a privately held company and we don't release financials or our exact number of users, but we can say that it's between 500 and 1,000. And we love every single one!

March 7, 2012

Hospital Spending To Grow

A new survey conducted by L.E.K. Consulting indicates a predicted rise in spending and aggressive supplier negotiations by hospitals during 2012. The study, which surveyed 200+ hospital executives, found that 61% expect budgets to grow through the year, in such areas as healthcare I.T. (57%), facilities and major medical devices (35%), and many expect growth in infection-fighting disposables. In fact, budgets are expected to rise through the coming five year period.

But the study also revealed that hospitals can be expected to drive ever harder bargains for their purchasing. Eighty percent stated that they will continue or step up pressure on suppliers to cut costs, while the number that anticipate greater use of purchasing organizations grew from 52% to 62% over last year.

The investigators cited the Affordable Care Act as a driver for the increase in hospital spending. CarePrecise healthcare provider data contains 31,270 hospital records as of February 29, 2012, representing 5,755 hospitals with 942,000 beds and total 2011 expenditures of $751 billion.

January 29, 2012

Practice Group Data Now Part of CP ListMaker

Jan. 29, 2012 -- CarePrecise announces a major upgrade of its  CP ListMaker software that puts all 3.5 million U.S. healthcare provider records – including almost one million physicians – in reach for marketers. Now includes practice group data to help qualify sales leads.

Today we announced a new version of our popular CP ListMaker software, our desktop system that puts all of the 3.5 million healthcare provider records – including approximately one million physicians and tens of thousands of hospitals and ambulatory care facilities – at the fingertips of researchers and marketers. CP ListMaker allows users to pull tightly targeted lists of physicians and other providers based on criteria such as specialty, subspecialty, facility types for organizations, provider gender, wealth/poverty of service area, Medicare enrollment, and many more. The new version, CP ListMaker 3.5, unveils new practice group data, and does it in an interesting way.

Until now, it has been difficult to find data indicating provider’s practice groups. With new data now obtained from Centers for Medicare and Medicaid Services (CMS), combined with CarePrecise’s advanced record linkage system, CP ListMaker identifies practice groups, and can list all of the providers working at each practice location. 

The “Co-location codes” attached to each record make it possible to further qualify potential prospects for companies marketing to the medical community. Not only physician practices, but dental groups, behavioral services groups, and all other HIPAA-covered healthcare providers are co-location coded. The new CP ListMaker offers tools for using the new data. For example, to export a list of obstetric/gynecology group practices of between 3 and 20 members.

CarePrecise’s record correlation processes also make it possible to link providers’ PECOS and LEIE records with their NPI (National Provider Identifier) records ( ), providing a rich master record ( ) that can be used to enrich or update customers’ existing databases. The PECOS data (indicating which providers are enrolled to be able to bill Medicare) has recently been redacted by CMS, now providing only a partial NPI number; however, our system restores the full NPI number. The federal List of Excluded Individuals/Entities (LEIE) database, which lists providers who have been barred from billing federal programs due to fraud convictions or other infractions, also has no unique identifier as distributed; however, CarePrecise links the LEIE data to the NPI data with each monthly update.

With or without a unique identifier, such as an NPI, EIN, UPIN or OSCAR -- or even a telephone number -- the CarePrecise master data management system, known as SQUIRRelate ( ), can pull provider data togetherinto a master record database from diverse sources. The company offers boutique record linkage services that can be used to merge data acquired during mergers and acquisitions, through cooperatives such as Health Information Exchanges, or from multiple in-house systems.

CP ListMaker is available as part of the CarePrecise Gold bundle, which includes CP ListMaker and the full U.S. healthcare provider database, or separately for customers who already subscribe to the CarePrecise data. The tool runs in Microsoft Access 2003, 2007 and 2010, and is provided open source, making all of the Access tools available to users.

CP ListMaker healthcare provider research and market targeting tools:
Master Data Management & Record-Linkage:  

CarePrecise Gold (complete U.S. healthcare provider database with marketing and research tools):

January 7, 2012

Sorting Out Practice Group Data

Starting with the November 2011 distribution, CMS began including 15 new fields in the NPPES database related to practice groups. These are actually taxonomy codes; the taxonomy code set includes two group codes: 193200000X Multi-Specialty Group and 193400000X Single Specialty Group. The definition of the single specialty code is "A business group of one or more individual practitioners, all of who [sic] practice with the same area of specialization." That should clear it all up, right? Oh, no.

So these are not necessarily physician groups. That's fine, but additional questions remain, like Why aren't these taxonomy codes reported in the taxonomy codes section of the NPPES? The documentation from CMS is mum. And why is it that individual (Type 1) practitioners can call themselves a "group" when the NPI regulation says that a Type 1 provider is a single human being ? There are more than 1,000 of these in the data. So, a group can be physicians or not, or a mix, and a group can be one guy. And these two taxonomy codes aren't in the providers' taxonomy code data. Oh, and providers can report these same two codes up to 15 times (presumably having some relation to the up to 15 taxonomy codes in that other section of the data?) And, given 15 fields to play with, they can report being both a single specialty group and a multi-specialty group.


And there just happens to be many more group practices out there than are reported via these codes.

Using the new group codes data to actually identify groups, then, is somewhat less than doable. So we've taken a different tack.

Many of our clients need to know the group status of an individual practitioner. Let's take some really common examples. Let's say you are putting together a clinical trial for a new drug, or a marketing campaign for a new device. By phone, fax, and/or mail, you plan to contact a few thousand physicians in this state, a few thousand in that state, etc. You don't want to deluge a practice with 50 letters or phone calls all at once (and some practice locations are that big and bigger), so you need to know the practice group for the physicians on your list, so you can stagger your communications. Or, let's say, you just want to reach the CEO or medical director for a given group. Well, as it happens, the CEOs isn't always the record that indicates a group practice; it's sometimes the office manager, credentialing coordinator, or just a young doc who can pilot the laptop. How do you sort all this out? Well, frankly, you couldn't, until now.

Beginning this month the CarePrecise Access dataset contains a new feature called a "CoLoCode" (co-location code). The CoLoCode is derived from deeply conformed practice location data, and each provider record gets one. Look up a group (using the CMS Group codes or by looking for a number of physicians co-located at the same practice address), then plunk that CoLoCode into a query to show you all the providers practicing at that location. Voila!

To make it even easier, we are releasing a new version of our CP ListMaker software, with new group features that take full advantage of the CoLoCodes and new CMS group data.

CMS Redacts NPI in PECOS File: Solution

The PECOS Ordering and Referring Report has been a tremendous resource for those of us who have to know whether a business partner is eligible to bill Medicare. A great example is the DME supplier who needs to know that the physician who orders a patient's medical equipment is authorized to do that; could cost him money when the claim is rejected. Well, that report has just gotten a mite less useful.

(UPDATE: Here's a press release we just sent on this issue, and a page on our website with details.)

Starting with the current release, CMS has blocked out the first 6 digits of the NPI number. It looks like ******1234. Utterly useless if you want to incorporate that file into your business systems. We have a solution!

CarePrecise specializes in healthcare record linkage projects. We collect data files from many sources and, using our SQUIRRelate record "linking and shrinking" system, match them into our NPI database. The PECOS Ordering and Referring Report and the pending enrollment files are no exception. Our system can still tell you which providers are enrolled to bill Medicare or have a pending enrollment -- with their NPI number and a lot of additional information the PECOS reports never offered.

In fact, we not only match up NPI numbers with PECOS enrollment, we also do it with the federal List of Excluded Providers (LEIE), the now deprecated but still useful UPIN registry, state license numbers, phone and fax numbers, both mailing and practice addresses, economic data from the US Dept of Commerce, and much more. Now we can even tell you how many providers practice at the same location, and give you the providers who report as a multi-specialty or single specialty practice group.

It's all in CarePrecise Gold (and everything except the economic data is in our basic dataset, CarePrecise Access), for 3.5 U.S. healthcare million providers.