"The Republican plan to kill Medicare is part of a plan to balance the budget on the backs of seniors," Senate Majority Leader Harry Reid said before yesterday's vote. That plan, originating in the House authored by Republican Paul Ryan, would have dismantled Medicare guarantees in favor of a private system that would force seniors to shop for health plans.
Republicans forced a vote on the Obama Administration's budget as a ploy to show the lack of support among Democrats for it. The 97-0 vote roundly defeated the President's budget.
May 26, 2011
March 18, 2011
Health Information Exchange Finance Study
Lately I've been asked by multiple people about the RHIO/HIE work we did a few years ago. With wider adoption of EHR and EMR, health information exchanges are finally beginning to be able to sink their teeth into data, and their value is being better understood. Still the most detailed analysis of HIE finance is the two-year study conducted while I was senior analyst at Healthcare IT Transition Group. The full 129-page study is now available online again.
March 16, 2011
New Hospital Admin Education Website
Hannah Anderson's goal was to compile an unbiased and updated list of every school that offers a hospital administration degree in the US. She felt that the existing lists were not comprehensive, easy to find, and many websites have outdated information and links. www.HospitalAdministration.org is a valuable new resource for hospital administration students, and for seasoned administrators when we're asked to make recommendations. All the schools are listed on the front page and lead directly to each program, and can be viewed state-by-state. Thanks, Hannah!
March 10, 2011
Got Teeth? Here Comes HIPAA Enforcement
Two-day workshops in April, May and June have been set to train state attorneys general in HIPAA enforcement. The economic stimulus law attached stronger penalties for HIPAA privacy and security violations, and perhaps more importantly, removed sole prosecutorial powers from the Office for Civil Rights at HHS (OCR) for enforcement of federal privacy and security provisions by granting dual enforcement authority to state attorneys general. Going further, the law also expanded application of HIPAA criminal provisions to any individual who obtains or discloses health information kept by a covered entity -- not just the covered entity itself -- which essentially reverses the Bush administration Justice Department, which held that only "covered entities" are eligible for prosecution. So, if that EHR software company has an oopsie with your medical records, your state attorney general can go after it. CHOMP! Read the Modern Healthcare article.
March 8, 2011
Patients Want Their Providers Online
The second-annual study from Intuit Health, the Health Care Check-Up Survey, found that 73% of Americans surveyed would use secure online tools to access lab results, request appointments, pay medical bills, and communicate with their doctor's office. CarePrecise began building web portals for healthcare providers a few years ago, and has seen a rise in interest from providers, who want to be able to point patients to written information in the controlled environment of their websites. Providers are also looking at adding scheduling applications, and some are participating in PHRs (patient health record portals). Read the Information Week article.
February 14, 2011
Good News, Docs and Vendors: No Medicut
According to the Associated Press, the Obama administration proposes $3.73 trillion for the next budget cycle, as part of its plan to shrink the federal deficit by $1.1 trillion over the coming decade. $62 billion of the savings would be used to avoid cuts in Medicare payments to physicians over the next two years. The full proposed budget is expected to be released later today.
January 18, 2011
Nearly 3000 Excluded Providers Still Practicing
You might wonder if, and if so, why, healthcare providers who have been convicted of Medicare fraud are still practicing medicine, writing prescriptions, and billing health plans (except, presumably, Medicare). Well, it's a good question. Apparently such a conviction may not get a provider's NPI deactivated.
For several months the number of providers that appear on both the HHS Office of Inspector General's excluded providers list and the current National Plan and Provider Enumeration System (NPPES) have hovered around 2,700.* But for December the number jumped to 2,925. Of that number, more than 1,400 are physicians.
For the past several months, CMS has dropped only 400 to 500 providers each month for various reasons; not all dropped NPI records are due to fraud convictions. Interestingly, the December NPPES dropped more than 1,000 records, while still including more than 2,900 providers listed in the LEIE (List of Excluded Individuals/Entities), the federal database primarily of healthcare providers convicted of fraud or other crime, for patient neglect or abuse, felony controlled substance conviction, or whose licenses have been revoked, suspended or surrendered. A small number of providers are included on the list for less serious reasons, including refusal to provide required information to HHS, and default on a federal healthcare education loan. An inquiry sent to CMS requesting information on the matter has not been answered.
Each month, nearly 30,000 new records are added to the NPI database, primarily representing new healthcare providers. On average, 33,000 records are updated (by the providers themselves in nearly every case). The December NPPES database includes 3,277,833 healthcare provider records. All HIPAA-covered U.S. healthcare providers are required to obtain an NPI record. For all practical purposes, a physician's NPI number, along with a DEA number, is required to write a prescription because pharmacies generally require them. Theoretically, at least, if a pharmacy could not find a valid NPI number, it could refuse to fill the prescription.
CarePrecise compiles federal healthcare provider data for use in research, clinical trial provider pool development, fraud prevention and marketing. Clients include health plans, educational institutions, drug companies, marketers, law enforcement, health systems and individual providers.
_______
* Source: CarePrecise research data. Methodology involves cross-referencing the two databases using proprietary algorithms to affix NPI numbers to providers in the fraud database; the fraud database (LEIE) does not include NPI numbers, making it difficult to track against practicing providers. Actual number of providers on both lists may be higher; the cross-referencing algorithm is used conservatively.
For several months the number of providers that appear on both the HHS Office of Inspector General's excluded providers list and the current National Plan and Provider Enumeration System (NPPES) have hovered around 2,700.* But for December the number jumped to 2,925. Of that number, more than 1,400 are physicians.
For the past several months, CMS has dropped only 400 to 500 providers each month for various reasons; not all dropped NPI records are due to fraud convictions. Interestingly, the December NPPES dropped more than 1,000 records, while still including more than 2,900 providers listed in the LEIE (List of Excluded Individuals/Entities), the federal database primarily of healthcare providers convicted of fraud or other crime, for patient neglect or abuse, felony controlled substance conviction, or whose licenses have been revoked, suspended or surrendered. A small number of providers are included on the list for less serious reasons, including refusal to provide required information to HHS, and default on a federal healthcare education loan. An inquiry sent to CMS requesting information on the matter has not been answered.
Each month, nearly 30,000 new records are added to the NPI database, primarily representing new healthcare providers. On average, 33,000 records are updated (by the providers themselves in nearly every case). The December NPPES database includes 3,277,833 healthcare provider records. All HIPAA-covered U.S. healthcare providers are required to obtain an NPI record. For all practical purposes, a physician's NPI number, along with a DEA number, is required to write a prescription because pharmacies generally require them. Theoretically, at least, if a pharmacy could not find a valid NPI number, it could refuse to fill the prescription.
CarePrecise compiles federal healthcare provider data for use in research, clinical trial provider pool development, fraud prevention and marketing. Clients include health plans, educational institutions, drug companies, marketers, law enforcement, health systems and individual providers.
_______
* Source: CarePrecise research data. Methodology involves cross-referencing the two databases using proprietary algorithms to affix NPI numbers to providers in the fraud database; the fraud database (LEIE) does not include NPI numbers, making it difficult to track against practicing providers. Actual number of providers on both lists may be higher; the cross-referencing algorithm is used conservatively.
Labels:
fraud,
hhs,
medicare,
NPI,
nppes,
oig,
physicians,
prescriptions
December 31, 2010
All Your Words Are Belong To Us
Your phone-to-phone text messages are secured against being read by hackers using a decades-old technology that is full of holes and regularly being hacked. As is your location, any time you have your phone turned on. And it's not just the phone companies, not just law enforcement using $50,000 network sniffing devices. It's hackers using $15 cell phones and a laptop. In a demonstration at the Chaos Computer Club (CCC) Congress a few days ago, a couple of seasoned pros gave the assembled hackers a step-by-step tutorial.
But wait, you say, how come hackers aren't cracking the phone companies' SIM card codes so I can do stuff like, say, run an iPhone on my Sprint account? Well, that's because the phone companies are using much tougher encryption to lock in their revenues than to secure your private information. “There is one key used for communication between the operators and the SIM card that is very well protected, because that protects their monetary interest,” says Security Research Labs researcher Karsten Nohl. “The other key is less well protected, because it only protects your private data.”
The problem stems from laziness. The companies could almost effortlessly make two or three changes to tighten up security, firstly, to follow their own industry standards that have been in place for many years. Rather than sending random data in the constant "Are you there?" messages sent to your phone, they use plain text, making it easy to find you and connect a phone with specific data traffic. There is no reason whatsoever for this negligence, but the second step might require a bit more programming, namely, to stop the practice of reusing security keys over and over, making it easy for a hacker to run through a few keys and quickly tap into your session. The fix would probably take a programmer a couple days and cost your phone company a whopping few hundred bucks. Multiplied by several phone companies, the astronomical price of securing hundreds of millions of phones - yours, mine and everybody else's - would run in excess of a few thousand dollars.
Okay, maybe that's a low-ball. Check out the article at ars technica.
But wait, you say, how come hackers aren't cracking the phone companies' SIM card codes so I can do stuff like, say, run an iPhone on my Sprint account? Well, that's because the phone companies are using much tougher encryption to lock in their revenues than to secure your private information. “There is one key used for communication between the operators and the SIM card that is very well protected, because that protects their monetary interest,” says Security Research Labs researcher Karsten Nohl. “The other key is less well protected, because it only protects your private data.”
The problem stems from laziness. The companies could almost effortlessly make two or three changes to tighten up security, firstly, to follow their own industry standards that have been in place for many years. Rather than sending random data in the constant "Are you there?" messages sent to your phone, they use plain text, making it easy to find you and connect a phone with specific data traffic. There is no reason whatsoever for this negligence, but the second step might require a bit more programming, namely, to stop the practice of reusing security keys over and over, making it easy for a hacker to run through a few keys and quickly tap into your session. The fix would probably take a programmer a couple days and cost your phone company a whopping few hundred bucks. Multiplied by several phone companies, the astronomical price of securing hundreds of millions of phones - yours, mine and everybody else's - would run in excess of a few thousand dollars.
Okay, maybe that's a low-ball. Check out the article at ars technica.
December 17, 2010
Marketing: Top 5 Web Trends for 2011
Even in this economy, price competition isn't the answer. It can eviscerate the bottom line, and associates our brand with bottom feeders. Instead, in 2011 marketers will be learning to give something else to our prospects and customers. Social media, content push, convergence, social objects and service -- these five emerging trends are covered in an article on OpenForum.com, and I hope you'll read it. But here's the gist:
- Social Media. No, it's not Socialism. Yet. But the communities aggregated by Facebook are the 2011 equivalent of proletariat power. No longer are our gripes and kudos heard by only a few co-workers in the lunchroom, but by hundreds or thousands of our closest friends. And their closest friends. And their closest friends. B2B and B2C marketers are both learning the power of chatter. While waiting for the curtain to rise at a recent entertainment event, audience members all seemed to sort-of know one another. In clusters around the room, it became clear that almost all 150 or so attendees had responded to a Facebook invitation.
- Content Still Rules, but... We've all learned that developing rich online content is key to getting traffic and building credibility with our market. But much of that content just sits there. We've done the Email Newsletter thing, to push content out to our community. Tweets are the next step, using brief and much more frequent touches to keep our customers and prospects close. And tweets don't get your email domain blacklisted.
- Converge and Hybridize. There's the web site. And then there's the Facebook page. It's time to pull them together in a seamless environment that makes interaction integral to the web experience of all your visitors. And it's more than just putting an F button on your home page. (What? You still don't have an F button on your home page?)
- Widgets and Web Tools and Mascots - Oh, My! They're called social objects -- little bundles of clever or cute or useful that get picked up and sent around and pinned to other people's pages. Maybe it's a relevant cartoon or really funky-looking lolcat, or a widget that lets your visitors grab a chunk of your content for their own site or Facebook page. The point is to get other people giving your stuff away for you, just like the sample lady at the grocery store. Only for free; once you've covered development costs, that is.
- Serving is the New Selling. I can remember the exact day that I decided to start giving extreme customer service. It was just after I'd had a great customer service experience myself, with a vendor that made such an impression on me that I've stuck with them ever since -- three years now. It costs me absolutely nothing to make every customer feel smart, attractive, rich, famous and wanted. The actual content of a service event does use up a little more time, and sometimes I even make a follow-up call (which really blows their minds). But the first result is that I love doing it, and service events have become a true joy, and the ultimate result is that the bottom line proves that it works for the customers, too. Now, instead of spending time calling on leads, I spend my time with customers -- including the ones who are just downloading the freebies or have questions. I still have to get the word out, of course, but I can put more resources into direct mail and web advertising designed just to start a conversation. We're entering an age of smarter selling that's all about creating relevance and utility for our prospects and customers, and we're leaving the age of selling "lifestyles." Now, when we get that first contact, we have to listen for the person's existing patterns, to learn how we can help them get more value from the way they are already doing business, or living their lives. It's not about generating warm fuzzies, but about delivering real value -- the stuff that our price-competing competitors don't have any of.
November 22, 2010
Again: Why Is It You Don't Protect My Health Data?
Why do health plans and providers refuse to secure sensitive data when encrypting it costs nothing at all?
According to a study out of HHS that tracks healthcare data breaches, laptop computer theft was the most prevalent cause of data theft, involved in 24% of breaches. Desktop computers accounted for 16% of the breaches. Physical security is cited as an issue; had computers been kept behind locked doors, fewer would have been stolen. But that's just silly. You can't be locking and unlocking office doors all day long, and keeping a laptop in a locked room is sort of not the whole point of a portable computer.
So, why wasn't the data encrypted? "Ah," you say, "Let me explain our reasons: (1) encryption isn't really secure, (2) it costs money and wastes my time, (3) difficult to administer in an organization, and (4) I could be forced to type in my password at gunpoint."
Well, (1), wrong. Encryption is really secure; the chances of anyone being able to break modern layered encryption are somewhere between zero and non-existent* (except for pure random chance, unfortunately, like when they guess your password is hGRw5k9oBn28, or Let's1andallGo(straight)2Shaneequah'sHouse). Despite what the movies would have you believe, random strings and big long phrases with numbers and punctuation are easy to remember, but astronomically difficult to guess, even using brute force cracking software. ILoveMyCat isn't.
And, (2), wrong. Once setup on a laptop, an "encrypted volume" is just like another hard drive, and to use data on it you simply type in a password. No wasted time (oh, well, alright, however long it takes you to type in a handful of characters -- how bad are your keyboarding skills?).
And, (3), wrong. Are you just OK with losing my data, or is work too hard for you? And that old saw about not being able to administer open source software is inapplicable. Who cares if an admin can tweak and fiddle with the copies of copies of copies of redundantly off-site backed-up data that some lower-down has on his laptop?
And, (4), wrong again. The fear of being held at gunpoint while you type in a password for a file your attacker can see on your computer is simply a waste of good adrenaline. Modern encryption software provides full deniability, such that even the sensitive files themselves are invisible; which is to say, they are hidden encrypted inside another file, one that opens to reveal some non-sensitive content when you use one password, and the sensitive stuff when you use another password. Unless the attacker can see inside your head, he doesn't know the data is even there.
And it's free. Yup. Free, open source, downloadable, and you can have it on your laptop and running beautifully in minutes. We don't have any connection with the product, but we've been using it for years. It's called TrueCrypt. Setup took all of 15 minutes. Five years ago. If you don't use it and you lose my healthcare data, I'm going to be really ticked.
Okay, end of rant. Until the next stupid data breach.
*Alright, let's just say that the odds against are so unfavorable that even the most seasoned hackers won't take the bet.
According to a study out of HHS that tracks healthcare data breaches, laptop computer theft was the most prevalent cause of data theft, involved in 24% of breaches. Desktop computers accounted for 16% of the breaches. Physical security is cited as an issue; had computers been kept behind locked doors, fewer would have been stolen. But that's just silly. You can't be locking and unlocking office doors all day long, and keeping a laptop in a locked room is sort of not the whole point of a portable computer.
So, why wasn't the data encrypted? "Ah," you say, "Let me explain our reasons: (1) encryption isn't really secure, (2) it costs money and wastes my time, (3) difficult to administer in an organization, and (4) I could be forced to type in my password at gunpoint."
Well, (1), wrong. Encryption is really secure; the chances of anyone being able to break modern layered encryption are somewhere between zero and non-existent* (except for pure random chance, unfortunately, like when they guess your password is hGRw5k9oBn28, or Let's1andallGo(straight)2Shaneequah'sHouse). Despite what the movies would have you believe, random strings and big long phrases with numbers and punctuation are easy to remember, but astronomically difficult to guess, even using brute force cracking software. ILoveMyCat isn't.
And, (2), wrong. Once setup on a laptop, an "encrypted volume" is just like another hard drive, and to use data on it you simply type in a password. No wasted time (oh, well, alright, however long it takes you to type in a handful of characters -- how bad are your keyboarding skills?).
And, (3), wrong. Are you just OK with losing my data, or is work too hard for you? And that old saw about not being able to administer open source software is inapplicable. Who cares if an admin can tweak and fiddle with the copies of copies of copies of redundantly off-site backed-up data that some lower-down has on his laptop?
And, (4), wrong again. The fear of being held at gunpoint while you type in a password for a file your attacker can see on your computer is simply a waste of good adrenaline. Modern encryption software provides full deniability, such that even the sensitive files themselves are invisible; which is to say, they are hidden encrypted inside another file, one that opens to reveal some non-sensitive content when you use one password, and the sensitive stuff when you use another password. Unless the attacker can see inside your head, he doesn't know the data is even there.
And it's free. Yup. Free, open source, downloadable, and you can have it on your laptop and running beautifully in minutes. We don't have any connection with the product, but we've been using it for years. It's called TrueCrypt. Setup took all of 15 minutes. Five years ago. If you don't use it and you lose my healthcare data, I'm going to be really ticked.
Okay, end of rant. Until the next stupid data breach.
*Alright, let's just say that the odds against are so unfavorable that even the most seasoned hackers won't take the bet.
November 3, 2010
Call for CMS to Release Tax Number Data
The NPI Final Rule called for CMS to establish a system that would assign a National Provider Identifier (NPI) number to essentially every healthcare provider in the U.S. (HIPAA "covered entities"): now more than 3 million providers and growing. Great. But it was years before CMS released that data for the industry to use. CarePrecise personnel were at the forefront even back then, calling for CMS to release the data. If necessary, we were ready to fight for it, filing our own request under the Freedom of Information Act (FOIA). Federal agencies can't keep such kinds of data from the public. It's the law. CMS eventually looked at FOIA, and at their provider data, and decided that, sure enough, they were going to have to release it. We and our clients were ecstatic; now the industry would be able to produce the complex crosswalks necessary to actually achieve the efficiencies promised by the Final Rule.
Hurray... except CMS decided not to release one of the most useful data points of all. A provider's federal tax number is hardly a private number. Businesses have to give their tax number on every imaginable type of transaction. Employees see the employer's number on their W-2s. CMS's excuse was that sole proprietors and pretty much all individual practitioners would have to give their Social Security Number, or that busy doctors might type in the SSN in the wrong spot. Fair enough, but, as everyone who works with data knows, it's a piece of cake to parse a tax number field to determine if the number is a SSN or a business tax number.In fact, that's just exactly what CMS does in the Other ID fields of the NPPES (National Plan and Provider Enumeration System) database, replacing 000-00-0000 with a string of equals signs.
Instead of just redacting the SSNs, CMS decided it was best just to wipe clean the complete Employer Identification Number (EIN) field -- just in case some uppity docs got... uppity. Many of us have been hoping that CMS would revisit the issue of this gaping hole in the provider data, but it seems that the issue is to be ignored so that it will just go away.
So, here we are, once again, years into it, asking CMS to release non-SSN tax numbers/EINs so that we -- health systems and health plans large and small, clearinghouses, HIT vendors, medical billing and coding vendors -- can make this data do what it was intended to do for healthcare and for the taxpayers.
Hurray... except CMS decided not to release one of the most useful data points of all. A provider's federal tax number is hardly a private number. Businesses have to give their tax number on every imaginable type of transaction. Employees see the employer's number on their W-2s. CMS's excuse was that sole proprietors and pretty much all individual practitioners would have to give their Social Security Number, or that busy doctors might type in the SSN in the wrong spot. Fair enough, but, as everyone who works with data knows, it's a piece of cake to parse a tax number field to determine if the number is a SSN or a business tax number.In fact, that's just exactly what CMS does in the Other ID fields of the NPPES (National Plan and Provider Enumeration System) database, replacing 000-00-0000 with a string of equals signs.
Instead of just redacting the SSNs, CMS decided it was best just to wipe clean the complete Employer Identification Number (EIN) field -- just in case some uppity docs got... uppity. Many of us have been hoping that CMS would revisit the issue of this gaping hole in the provider data, but it seems that the issue is to be ignored so that it will just go away.
So, here we are, once again, years into it, asking CMS to release non-SSN tax numbers/EINs so that we -- health systems and health plans large and small, clearinghouses, HIT vendors, medical billing and coding vendors -- can make this data do what it was intended to do for healthcare and for the taxpayers.
November 2, 2010
Federal Physician Comparison Website Coming
CMS has until January 1 to create the new PhysicianCompare.hhs.gov site, intended to make it possible to lookup info on your doctor and compare her quality to that of others. Like HospitalCompare.hhs.gov launched recently, the notion is that these sites will create the incentive for providers to give better care, ultimately helping to control healthcare costs. As required by the Affordable Care Act, CMS has two years to get the site serving up quality data on docs.
Not only must quality data be available to help patients make smarter healthcare purchasing decisions, but the Act requires that the site help physicians to actively use the information to improve quality.
At a five-hour-long Town Hall last week, CMS gathered doctors, hospitals, employers and anyone else who wanted to participate with the goal of getting input on what the site should contain. The outspoken participants told them, among many other things:
And here's a big one: Should physicians' charges be disclosed? How can you make a value decision without prices? Doctors who charge more might offer additional services; what about house calls, or no-wait appointments, or a Personal Health Record (PHR) portal -- should this information be available?
Naturally, the AMA is pushing back a bit. AMA president James Rohack, M.D. told HealthLeaders Media last week that the AMA's concern is that "individual doctor-level data right now is not ready for prime time, especially in complex situations. The attribution of who's really responsible for that care is not worked out." Dr. Rohack said that doctors aren't particularly afraid of being graded: "The reason we became doctors was because we got good grades."
These and many more questions remain to be resolved even before determining exactly what data will be collected -- a step that is mandated to begin in January of 2012. But pulling away the veil of mystery surrounding the work of the physician is long overdue and worthy of the gargantuan task facing CMS. Unless a wing nut Congress repeals or guts the law within the next two years, we will finally be able to look under the hood before making some of the most important and most costly buying decisions of our lives.
Not only must quality data be available to help patients make smarter healthcare purchasing decisions, but the Act requires that the site help physicians to actively use the information to improve quality.
At a five-hour-long Town Hall last week, CMS gathered doctors, hospitals, employers and anyone else who wanted to participate with the goal of getting input on what the site should contain. The outspoken participants told them, among many other things:
- Physician's sex, race and age
- Languages spoken
- Office hours
- Medical degrees and schools
- Hospitals where they have privileges
- How long in practice
- Health networks they belong to
- Awards received
- Community service work/care for the poor
And here's a big one: Should physicians' charges be disclosed? How can you make a value decision without prices? Doctors who charge more might offer additional services; what about house calls, or no-wait appointments, or a Personal Health Record (PHR) portal -- should this information be available?
Naturally, the AMA is pushing back a bit. AMA president James Rohack, M.D. told HealthLeaders Media last week that the AMA's concern is that "individual doctor-level data right now is not ready for prime time, especially in complex situations. The attribution of who's really responsible for that care is not worked out." Dr. Rohack said that doctors aren't particularly afraid of being graded: "The reason we became doctors was because we got good grades."
These and many more questions remain to be resolved even before determining exactly what data will be collected -- a step that is mandated to begin in January of 2012. But pulling away the veil of mystery surrounding the work of the physician is long overdue and worthy of the gargantuan task facing CMS. Unless a wing nut Congress repeals or guts the law within the next two years, we will finally be able to look under the hood before making some of the most important and most costly buying decisions of our lives.
Subscribe to:
Posts (Atom)