December 24, 2011

Five Steps to EHR: A .Gov Primer

Now that electronic health record software is a virtual necessity for a productive practice, HealthIT.gov offers a common-sensical five-step plan for implementing EHR in a practice. A number of years ago, we worked with the national Blue Cross and Blue Shield Association to create a case-based analysis of the EHR scenario. That publication outlined the efforts of many practices to incorporate EHR into multi-physician practcies. Check out the current wisdom at HealthIT.gov.

October 10, 2011

Phone Messaging: New Channel to Physicians

It's wildly hit-and-miss -- much like email spam -- but marketers are increasingly using bulk text messaging to penetrate the armor cladding of physician offices. And it's a wide open opportunity; physician office phone numbers are openly published, unlike email addresses. Fax numbers are available too (CarePrecise provider data includes both phone and fax numbers, up to four numbers per record, and we know that it is widely used for marketing to physicians), but "faxpam" doesn't have the same high-tech glamor. Unlike a fax broadcast, text messaging allows marketers to embed a live link to a web landing page, as well as an instantly accessible means for recipients to opt out, making bulk SMS marketing just a little bit more respectable. (Ever tried to get a faxpammer to stop? Ha!)

So what's the difference between bulk SMS cold-calling and plain old spam? Not much, except that it's newer and less fraught with sleaze. And here's something more: It's not free, so spammers can't just set up a computer and start sending 100 million spam messages a day at essentially no cost. Text messaging to phones requires that you have an SMS gateway, or an account with a service provider who has one. These are available to bulk senders, but at a price. Okay, it's not exactly postage, but it's at least a price.

Among the numerous offerings for bulk SMS gateway and software services are Mobomix and TXTwire. Both offer essentially unlimited sending with premium accounts, but both enforce opt-in requirements. That is, you can't just upload a database of phone numbers, such as the 5 million or so in the CarePrecise database, and start texting. Instead, these services require that you are sending only to your own customers or others who have explicitly said, "Yeah, okay, text me spam."

Of course, there's always a workaround. Another company, SMScountry, offers an Excel plug in that lets you send personalized text messages. While they have a similar anti-spam policy, the way the system works would make it difficult to police. As with all bulk SMS systems, it isn't particularly easy for a recipient to contact the carrier to complain. The carrier backbone for SMS is a bit primitive compared with that of email, and there are fewer hooks for filtering messages by the carriers, should they ever want to do what ISPs are doing about email spam. It's pretty much up to the owner of the gateway.

In the war between marketers and physicians, both sides escalate as new weapons or defenses arise. A fax isn't likely to ever see a doctor's spectacles, but that same unreachable physician isn't really that unreachable if you can get his email address or phone number. Naturally, it helps to have her mobile number rather than just the office phone, for obvious reasons. But if you've got a product to sell to docs, any opening is a huge gaping hole, and, even if the text message gets converted to a computer-voiced voice mail message, and, even if only the smallest percentage reach a bona fide phyz, maybe paying $60 a month for a bulk gateway account with few limits sounds good to you. And a good many of those published numbers are cell phones, some portion of them presumably reaching right into a doctor's pocket.

Bulk SMS has its Whitehat side, of course. Services that allow you to enter your customers' account info and send text billing notices, patient appointment reminders, among a host of other applications, are opening up the commercial use of phone messaging. I opted in for a J.C. Penney's coupon texting service, and I use it.

But let's say you've got a nice big customer list, folks who freely gave you their phone numbers (long before the advent of SMSpam, but still...). Can you send em all a coupon, or a new product announcement, or an offer of a free EHR assessment? I want to say no, but we send these same customers more-or-less "unsolicited" email, at least in the sense that they never explicitely said "Send me your coupons," but something more like "Send me product update notices via your monthly newsletter." That phone number was optional, right? Houston, we have achieved opt-in.

Certain advantages of smartphones, such as the ability to blacklist messagers, are a helpful control. The barriers to entry are currently very high for an SMSpammer who wants to set up his own unrestricted gateway, so he'll be using these third party services and, perhaps, have to behave himself. But look for text marketing to grow wildly in the near future.

Check out our page on Marketing to Healthcare Providers.

September 21, 2011

Nifty Licensing Agency Contact Resource

Want to know who the various healthcare provider licensing entities are for a given state? Palmetto GBA has made that a piece of cake now. Their new database of licensing requirements (primarily for use by DME suppliers) includes the licensing bodies for each state. For example, here's what they show for New York:

1)New York State Board of Pharmacy
Phone: 518-474-3817 extension 130 extension 130
Web: http://www.op.nysed.gov/prof/pharm/
- Registered Pharmacy Establishment Certificate
2)New York State Board of Pharmacy, Office of the Professions
Phone: 518-474-3817 extension 250 extension 250
Web: http://www.op.nysed.gov/prof/od/
- Ophthalmic Dispenser License
3)New York State Board of Respiratory Therapy
Phone: 518-474-3817 extension 120 extension 120
Web: http://www.op.nysed.gov/prof/rt/
- Respiratory Therapist
4)New York State Education Department, Office of the Professions
Phone: 518-474-3817 extension 591 extension 591
Web: http://www.op.nysed.gov/prof/
- Optometrist License
- Physician License
5)New York Department of Health
Phone: 518-402-1016
Web: http://www.nyhealth.gov/
- Ambulatory Surgical Center
- Home Health License
- Hospital License
- Nursing Home Administrator License
- Nursing Home License

Another table shows the type of provider with a link to the number (as listed above), and still another nifty feature lets you choose a healthcare product or service from a dropdown, and jumps you to a listing of the various licensing requirements. Kudos!

HIPAA Hacked: ALL YOUR MEDICAL RECORDS ARE BELONG TO US

The origin of ALL YOUR (insert asset here) ARE BELONG TO US#sslsecurityhack SSL/TLS, the encryption system that has been keeping online credit card transactions and HIPAA-sensitive communications safe for over a decade, has broken down. As shown by researchers at a recent conference, a simple tool now gives hackers access to your PayPal transactions and much more. Gonna be fixed? Possibly not for many months, even years, since any change to the SSL/TLS protocols causes ecommerce to break for any number of sites, depending on the server or browser involved in the transaction. The hack is truly a killer app.

Just google SSL/TLS HIPAA and you'll find hundreds of applications that use Secure Sockets Layer/Transport Layer Security technology to secure electronic medical records transactions. (Here's an ironic example of the misinformation out there, labeled "Completely Secure Collection of Web Form Data using SSL".)

An article in The Register reports that a couple of researchers announced a demo of their tool, called BEAST (Browser Exploit Against SSL/TLS), at a Buenos Aires security conference last week. BEAST performs a "plaintext-recovery" attack, exploiting a (previously theoretical, but known) weakness in TLS. During encryption, the TLS protocol scrambles each subsequent block of data based on the previous encrypted block. It had long been theorized that an attack could manipulate the process to make educated guesses about the contents of the plaintext blocks. If a guess is correct, the block cipher will get the same hash for a new block as it used for the previous one, resulting in identical cipher-text. Security just goes POOF.

At the moment, BEAST requires a little under two seconds to decrypt each byte in an encrypted cookie, used by a web browser to secure an online transaction session. Doing the math, a 1,000-byte cookie would take maybe half a minute, but researchers Thai Duong and Juliano Rizzo have now announced that they've tweaked the process down to about ten seconds. That's plenty quick to grab whatever users are sending, decypher it, and, well, steal it.

So, what are browser makers doing to plug this new hole? One word: Nothing. What's the hold up? Well, although this "theoretical" hack has been understood for years, a secure transaction involves just too many parties to get it all straightened out without knocking out millions -- perhaps billions -- of transactions for perhaps an extended period of time. For instance, the Firefox and Chrome browsers (according to w3schools.com, Firefox gets 40.6% of traffic, while Internet explorer gets just 22.4%, and Google Chrome gets 30.3% as of August, 2011) use the open source Network Security Package to implement HTTPS. But there are other security packages out there, and IE uses one of them. Any change would require simultaneous change to all packages. And that's not the half of it; the servers use multiple SSL implementation platforms, such as OpenSSL, and all of those would have to change at the same time. The offending protocol, TLS 1.0, has been available in an upgraded version (1.1 and 1.2) since 2006, but getting all the ducks lined up just isn't happening.  While IE 8 and up include support for TLS 1.1 and 1.2, which do not appear to have the vulnerability, it is not the default, and still relies on servers to accept the protocols without falling back to 1.0.

“The problem is people will not improve things unless you give them a good reason, and by a good reason I mean an exploit... It's terrible, isn't it?” said an analyst with the security firm Qualys.

There appear to be no reliable estimates of the percentage of HIPAA electronic transactions that are secured using SSL with TLS 1.0, but considering that, in the absence of a broadly implemented general browser-server solution, any TLS v1.2 implementations would require proprietary code at both the server and client sides, and transactions running under the hackable version would likely be the overwhelming majority. As of early 2011, Microsoft's .Net framework did not support the updated TLS protocols, suggesting that any EMR, EHR, eligibility and billing applications developed at that time may not support them either. Time to call your vendor?
Check Comments below for updates...

    September 11, 2011

    91 Charged With $295 Million Medicare Fraud

    Ninety-one doctors, nurses and others were charged in a blockbuster sting operation, with arrests unfolding over three weeks and culminating in 70 arrests last week. In 2007, a strike force was set up between the Department of Justice and the Department of Health and Human Services to identify and build federal fraud cases to fight criminal abuse of federal healthcare programs. U.S. Attorney General Eric Holder said that arrests were made in eight US cities involving more than $295 million in stolen funds.

    Almost half of those charged were part of a Florida ring that recruited healthcare providers to refer patients to a mental health center, in some cases threatening residents of a halfway house with eviction if they refused the unnecessary care. Another case involved $3.4 million in unnecessary physical therapy by two Brooklyn physicians.

    On September 1, officials in Detroit charged 18 physicians, nurses, clinic owners and other medical professionals for submitting $28 million in false claims to Medicare. Just one day earlier, the owner of a Houston, Texas durable medical equipment business was sentenced to 97 months in prison for his role in a Medicare fraud scheme.

    In all, the strike force, known as Health Care Fraud Prevention and Enforcement Action Team (HEAT), has charged 1,140 defendants who collectively have falsely billed the Medicare program for more than $2.9 billion.

    When providers have been convicted of fraud and certain other infractions and delinquencies, their names are placed on the List of Excluded Individuals/Entities (LEIE) database. CarePrecise compiles this data into its comprehensive database of U.S. healthcare providers, identifying excluded providers' NPI numbers, phone and fax numbers.

    Read the full story on the HHS website.

    September 9, 2011

    U.S. Doctors Earn Big, Drive Up Costs

    According to a new study published in Health Affairs, America's approximately 1.1 million physicians are paid dramatically higher fees than those in all of the other more than 230 Organisation for Economic Co-Operation and Development countries. Per capita, our physicians are paid $1,599; other countries averaged significantly less than that -- about 81% less -- or about $310. The difference, nearly $1,300, is a major factor in driving up U.S. healthcare costs, and, according to the report, is the the main cause of higher overall spending in America on physicians' services.

    The disparity comes into stark focus in the area of specialists' fees. While U.S. primary care docs earned significantly higher than their foreign counterparts -- averaging $186,582 annually -- orthopedic physicians earned $442,450. As an example, the study compared physicians’ fees paid by public and private payers for hip replacements in Australia, Canada, France, Germany, the United Kingdom, and the United States, finding that much higher fees were paid to U.S. orthopedic physicians for hip replacements (70 percent more for public payers, 120 percent more for private payers) than public and private payers paid these specialitsts in other countries. The study concludes that "the higher fees, rather than factors such as higher practice costs, volume of services, or tuition expenses, were the main drivers of higher U.S. spending, particularly in orthopedics."

    According to August, 2011 CarePrecise data, of the approximately 1.1 million U.S. physicians, about 35,500 practice as orthopedists and orthopedic surgeons, with another 378,000 specialists practicing in the high fee taxonomies. Only about 160,000 U.S. physicians serve in family practice.

    August 4, 2011

    And They Were So Close to Canada!


    Looks like some Medicare patients will go to any lengths to escape the high cost of U.S. prescription drugs. Even if only through opium-induced euphoria.

    Michigan: Twenty-six persons have been charged by Federal investigators in a Medicare fraud scam that took in more than $58 million in fraudulent billings and illegally acquired more than 6 million doses of pricy medications. Drugs were used to entice Medicare patients to play along.

    The brains of the gang, one Babubhai Patel, ran a network of 26 Michigan pharmacies that bribed physicians to write the prescriptions, many of them opiates and other frequently-abused pharmaceuticals. Physicians recruited grandmas as mules. Medicare patients would knowingly fill the illicit prescriptions, keeping the drugs and handing over their Medicare and Medicaid billing information to the conspirators. Four doctors and ten pharmacists, as well as some of the patients and others, were indicted in the federal grand jury action.

    July 7, 2011

    A Nut Too Tough to Crack?

    One of the hardest problems in health IT is the effort to get data from different silos into a centralized database that can be searched as a single dataset. So, this is us announcing our new "linking and shrinking" technology, code named "Squirrel." What does it do?

    Squirrel is a record-linkage and deflation system that pulls in data from multiple federal provider databases in various formats, makes them play nice together by linking everything up under providers' NPI numbers, preserves all the data but shrinks the file size down to about 9% of the original size, puts it in a format that can be managed in Microsoft Access or other garden variety database software, downloads it to our customers, and then does it all again fresh every month.

    The technology is built on record-linkage methods developed over twenty years. Interesting trivia: The precursor to the current system was built in Microsoft Access 1.0 -- you remember it, the Introductory Package -- in 1992. While we don't share all the secrets, the basic trick involves pattern matching algorithms and a lot of processing time to handle more than 13 million rows of data, comparing each provider's records between all the sources. The end result is called CarePrecise Access.

    We just sent out a press release about the whole thing.

    Now you'll excuse us, as we have some more nuts to collect and crunch on.

    July 1, 2011

    Health IT Talent at a Premium, or Take 2 Aspirin and Call Me a Headhunter

    It's hardly news that the pool of qualified healthcare information technology professionals is drying up as providers and vendors race to meet tech deadlines associated with federal HIT funding programs. For HIT folk like us, this rocks! Except, of course, when we're trying to flesh out project staff and we learn that the talent is beginning to know what it's worth.

    At stake is the $25 billion allocated in 2009 by the American Recovery and Reinvestment Act for EHR and other health IT outlays. Providers can be compensated for costs if they jump through the hoops by certain dates, with several important deadlines coming through the next several months. July 3 is the last day for hospitals to begin the 90-day reporting period in which they must demonstrate Meaningful Use for the Medicare EHR incentive program for federal FY 2011.

    Oct. 3, 2011 is the last day for physicians to begin their Meaningful Use reporting period for EHR, and November 30 the curtain drops on general and critical access hospitals registering for payments. And that's just a handful of the headaches.

    In addition to all of this activity, ICD-10 and 5010 implementations are also looming. If you're in HIT and you haven't asked for a raise, as my daddy used to say, "What's wrong, cat got your tongue?" (Apologies to our CIO friends.)

    Medicare Wins in Vegas Fraud Case


    Rakesh Nathu, a Las Vegas oncologist, settled his fraud case with the Justice Department yesterday for $5.7 million plus interest. Dr. Nathu was accused of submitting false claims to Medicare, TRICARE and the Federal Employees Health Plan for various radiation oncology services, including intensity modulated radiation therapy, and double billing for services. We hope he did better at the craps table. The government has recovered more than $7.3 billion in False Claim Act cases since 2009.

    Among CarePrecise clients are law enforcement agencies working on federal and private payer fraud investigations. As a result of work done for our clients, we developed a means of matching the federal fraud conviction list with providers' NPI records, and associating certain demographic data with practice locations to help visualize patterns. Late in 2010 we began including the fraud data in our CarePrecise Access Complete dataset, and the additional economic data in CarePrecise Gold products. Now included is a flag that indicates provider records whose data strongly suggest a match with the federal LEIE (List of Excluded Individuals/Entities) database. Other features help investigators track providers' licensing, credentials, specialty codes, enrollment in the PECOS database, and numerous other functions.

    Read the Justice Department news release.

    June 28, 2011

    New Way to Market to Healthcare Providers

    The international PR firm Ogilvy has just released a study prescribing a shift in healthcare marketing from the exploitation of clinical breakthroughs to something Ogilvy calls "sustainability." They're not talking about the sort of sustainability we in healthcare usually mean, such as the sustainability of a health information exchange's business model. Instead, they're suggesting that we start selling green.

    Companies with strong environmental competencies will rule the market in the coming years, say the investigators, Jeff Chertack and Monique da Silva. In an op-ed by Chertack, he says that "[the new] value will be delivered by new healthcare products and delivery systems that help society adapt to and thrive in changing climate and disease patterns."

    CarePrecise Technology made a move in the past year toward eliminating a large part of its carbon footprint by shifting even our largest file deliveries from physical (DVD disks) to virtual. All new product sales are now 100% virtual, and as subscribers renew, their deliveries will be virtual as well. Not only has the shift reduced fuel and materials consumption, but products are now delivered in less than half the time. In a business where the freshness of data is crucial, every hour counts. CarePrecise's NPI directory unit, NPIdentify, has produced state NPI directories in electronic form only since 2007.

    CarePrecise's data center is a shared environment, utilizing hyper-efficient cloud computing resources. Except for certain mission-critical operations performed on in-building platforms, all front-end operations and many back-office computing tasks have been moved to the cloud, dramatically reducing office space utilization and fuel consumption.

    Whether the healthcare industry in specific, and the broader business community in general, will effectively turn environmental competencies into profits is still an open question. Certainly, entities like hospitals make huge impacts and consume enormous resources (think about all those disposables and all those sheets washed after 30 minutes of use, pillows, trays and pitchers discarded after each patient...), and spectacular improvements could be made. Vendors who help these organizations green up are offering a new way to compete for patients. The competitive advantage offered by corporate carbon consciousness could be tomorrow's marketing edge for providers and their vendors.