Surviving During Uncertain Times
A keystroke or two opens the door to hundreds of sites on many practice areas - a generous representation of what today's practitioners need to know. Regardless of the specialization, these sections offer in-depth industry info, news, technical support and business tools geared to keeping physicians professionals conversant and current in their disciplines.
By Rebekah Bernard, MD
According to a recent report from the New England Journal of Medicine, female primary care physicians generate 10.9% less revenue from office visits compared to male physicians, despite spending 2.6% more time in the office with patients. Although female physicians had a lower volume of patient visits, they spent almost 16% more time with each patient. During this additional time, researchers found that female physicians placed more medical orders and discussed more medical diagnoses and preventive care than male physicians.
This begs the question: Why are women not being paid for their additional labor? According to the study, the answer seems to be that male physicians are simply better at billing for their work than female physicians, including billing based on time. Also, female physicians in procedural fields like radiation oncology were less likely to bill for “lucrative procedures” than male physicians.
Here’s the good news: This is one type of gender pay difference that is easy to fix. Female physicians can either opt out of a broken health care system that rewards short visits and high billing codes and enter into a direct primary care (DPC) model, or they can invest some time learning how to work the system to their advantage. As a female family physician, I’ve done it both ways. Although I advocate for the former (DPC has been a life changer for me), I was also able to out-earn many of my male colleagues in traditional practice by learning how to outsmart the system.
What follows are my top tips on how female physicians can close the gender pay gap in a practice using the relative value unit model.
Don’t give away your time
Unlike attorneys, a physician’s billing clock only starts ticking when we have a face-to-face encounter or formal telemedicine session with a patient. Phone calls and emails reviewing lab results are not compensated. Medication refills, prior authorizations, insurance forms, disabled parking passes, jury duty excuses, school medical excuses — physicians are not paid for any of these services, even though they may take a considerable amount of time (family physicians spend nine hours per week on uncompensated labor).
The reality is that in a fee-for-service insurance model, the only way to be fairly compensated for work as a physician is to see patients in the office. So rather than calling or emailing lab results, schedule your patient to return for a visit to review results together. If a patient calls with questions, concerns or clarifications, ask them to schedule an office visit. After all, an office visit is almost always the best way of evaluating your patient and providing the best medical care.
In addition, every time a form appears on your desk to be filled out, forward it to your office scheduler with a note to bring the patient in for an office visit. Doing paperwork while the patient is in the office not only allows you to bill for your work, it also saves you time: The chart is ready for you, the patient can directly answer many of the questions on the form and you have the opportunity to address medical concerns that relate to the paperwork, such as changing a medication or requesting prior authorization for a medication that is medically necessary but not covered by the patient’s insurance.
Be available for your own patients
Don’t miss out on quick, easy visits like urinary tract infections or minor skin infections because you lack schedule availability. With the current system of coding, a minor issue that you can attend to in five minutes is reimbursed just a bit less than a visit that takes you 30 minutes and loads of cognitive effort. The best way to ensure availability is to block several slots per day for urgent, acute care visits. These can be dispersed throughout the day or reserved during certain intervals, such as the last hour of the morning or the end of the day.
Schedule frequent follow-up visits
It is simply impossible to attend to every single problem that a patient has in one visit, along with addressing preventive care, although it’s clear from the New England Journal of Medicinestudy that female physicians certainly try their best! We need to accept that we can’t do it all, and instead, prioritize the most important issues and ask our patients to schedule follow-up visits. This can be difficult, as many of us are “people pleasers” and fear letting down our patients. We also worry about patients’ schedules and causing an additional copay. However, we need to accept that one of the keys to quality health care is developing a long-term relationship with a patient. Having the same physician over time reduces patient mortality by allowing more opportunities for us to explore our patients’ health and intervene in their lives. Remember: You cannot address a lifetime’s worth of problems in a single 15-minute visit, and you must not expect this of yourself.
It’s especially important to schedule frequent follow-ups with patients who have serious chronic health conditions or underlying psychological conditions like anxiety disorder. Some of these patients are prone to showing up without appointments, often in crisis, and can severely impact the day’s schedule. By scheduling frequent follow-up visits, you eliminate some same-day, “urgent” appointments. Frequent visits are reassuring to patients, many of whom fear abandonment. It also helps to tell your patient how much time you have scheduled for them at their appointment, to help them prioritize what is most important.
Capture add-on codes
When families come into the office together, “surprise” visits can cause a strain. You know the situation. You’re in the exam room seeing a well child when Mom points to a sibling and says: “Can you just check his brother’s throat? He’s been complaining that it hurts.” Or you’re seeing a husband and wife together, but just one is scheduled for an appointment. Inevitably, the conversation turns to a concern about the other spouse’s health.
This creates a dilemma. Although you could ask the “add on” patient to schedule an appointment to discuss their issues, it may be quicker and easier to address the problem directly. However, don’t forget to capture a billing code for your work. Even if you spend minimal time, you are likely to garner enough information to capture at least a level 99212 code for the work you did.
Also don’t forget to ensure that you properly bill for wellness visits and screening codes. The most efficient way to do this is to create a template or form. I also recommend including the dates of your last preventive screening in your problem list, where you can see at a glance what services are due.
Don’t sell yourself short
Female physicians must take the time to learn how to code accurately to be fairly paid for their work. Often, we underestimate the amount of work we’re doing and undercode. Yes, it seems unnecessarily complicated, but a few steps can make it easier. First, remember that billing codes are driven by the extent of medical decision-making. If a patient has a new problem, requires additional evaluation like blood tests or needs a prescription medication, they are likely going to warrant a higher level of service. If a patient has a life-threatening condition, you need to call 911 or you are going to really worry about the medication you must prescribe, then the level of service increases to the maximum. To ensure that you are checking all the right bullets, consider posting a chart of coding requirements for history, physical and medical decision-making next to your computer.
As a physician, you should never be coding a 99211, which is a nursing code for an evaluation ordered by a physician, like a blood pressure check. If you take a quick look at a patient and make a straightforward recommendation, you have earned at least a 99212.
Don’t forget to use time-based documentation when you spend the bulk of your visit “counseling or coordinating care.” For example, time-based coding will likely come into play with the patient who comes in severely depressed or has a stack of forms for you to fill out. While you don’t have to do lots of documentation for history or physical, you do have to document the time spent, both total and counseling time, and the details on the counseling/coordination of care activity.
Don’t be afraid of procedures
Our current system rewards interventions more highly than cognitive services. Primary care physicians should take advantage of this to serve patients. The key to success is having proficiency in your procedural skills and developing an established protocol for each procedure that you perform in the office.
If you didn’t have the opportunity to practice many procedures in your residency, many courses are offered at continuing medical education conferences. Another way to gain expertise is to find a physician mentor who does procedures in the office. Of course, be sure to know your limitations, and when in doubt, refer the patient to the appropriate specialist.
Before performing a procedure, break it down into individual steps. Create an organized list of supplies and actions required. Be sure that you have all the proper equipment ahead of time, and get the best equipment that you can afford. Develop a plan for follow-up and a patient handout, if necessary, for after the procedure. Using your prepared protocol, your medical assistant should be able to quickly ready the exam room for the procedure. Also make sure that your patients know that you offer office procedures so they can contact you if they need help, rather than visiting an urgent care or specialist.
Source: Medical Economics, February 2, 2021 (https://www.medicaleconomics.com/view/6-ways-physicians-can-close-the-gender-pay-gap)
By Willy Leichter
Ransomware is perhaps the greatest cybersecurity challenge facing the healthcare industry right now. A recent survey found that 73 percent of health systems, including hospital and physician organizations, reported their data infrastructures are unprepared to respond to attacks. The survey estimated that healthcare providers with 500 or more records are a staggering 300 percent more vulnerable to data breaches.
Numerous hospitals and medical centers have had operations severely impacted, or even halted from attacks, which is challenging under normal circumstances, but nearly insurmountable in the midst of a pandemic. In the instances reported, files and systems became infected, forcing practitioners to use manual pen and paper systems to keep operations from shutting down completely.
Attackers use a wide range of techniques to break into systems, find sensitive data, deploy encryption tools to lock data, and then demand a ransom in exchange for retrieving encryption keys. By employing the measures outlined below, healthcare practitioners can help protect their business, their patients, and their data from ransomware attacks in 2021 and beyond.
Invest in An IT Staff
One key thing that makes a healthcare system an easy target is an understaffed IT department. For all the advanced medical technology and expertise hospitals and medical centers have in spades, they are frequently less prepared in the IT department. Technical staff and security funding tend to be in limited supply, and bad actors will schedule their attacks on weekends or off-hours, when they know IT staff is scaled back from the regular workweek.
Investing in a professional IT staff will ultimately save practices valuable time and money. Organizations need to shift to a “prepare and prevent” mindset, rather than “deal with the cleanup after-the-fact.”
Another reason healthcare systems are easy targets is because they tend to have a mix of older, legacy equipment and systems, as well as cutting-edge technology. If the older systems are not properly maintained, updated and/or patched, they become vulnerable.
Older medical devices, such as MRI machines or machines with databases built into them, have vulnerabilities that are well known to seasoned ransomware attackers, such as password-related backdoors due to weak manufacturer-set passwords or poor password security practices.
Future-proofing information systems and the application infrastructure against ransom attacks is essential whether or not the practice has suffered an attack. Practitioners must assume that the precursors to the next attack are already inside the system. Once inside a system, ransomware and associated malware are designed to look like normal operations. This is how they are able to dwell inside networks for weeks and months, executing undetected.
Advanced cybersecurity solutions enable visibility into essentially every application function during runtime, with real-time insight into performance. The aim is to stop exploits as soon as they occur, before any significant damage is done. These solutions designed to detect and stop any code that deviates from normal.
Educate All Employees
All employees, from doctors to front office staff, must be on high alert. Cyber criminals are using increasingly manipulative exploits during the global health crisis. It’s important for every practice to educate their staff about phishing email and other potential risks to avoid. Research states that nearly 93 percent of attacks infect systems from a phishing email with a malware-laced link. “Drive-by downloading” is another method where a user accesses an infected website and becomes infected.
Particularly with an increase in remote work, medical networks are even more vulnerable, and staff need to be extra cautious. Oftentimes medical staff need to access critical data from remote laptops, some of which may be personal laptops or devices that have users other than the employee. Without remote work, server workloads would mainly only be exposed to private networks. Now they are exposed to remote workers’ unsecured devices, further exposing practice networks.
Staff should enable two-factor authentication on network devices and systems and follow a password management policy that enforces regular updates and strong passwords. Implement a reliable backup and recovery system protected from network access. Regularly update all software, operating systems and anti-virus solutions. These small steps in everyday practice workflow can ultimately be the first barrier of defense from a ransomware attack.
Regardless of how much practices prepare, hackers will continue to hack successfully. The question healthcare systems face now is whether their network is prepared to handle better and more frequent attacks without shutting down completely. Healthcare organizations are critical infrastructure, providing essential services for the public. Their many vulnerabilities leave them exposed, but by implementing these key steps to protect their organization, practitioners can strengthen and fortify their security stance.
Source: Physicians Practice, December 18, 2020 (https://www.physicianspractice.com/view/3-steps-to-protect-your-practice-from-ransomware)
By Daniel B. Frier, Esq.
The increased emphasis on cost, quality and compliance in the delivery of healthcare has simultaneously promised to save our healthcare system, while adding immense complexity to the private practice of medicine. The advent of MACRA and all of the intricate payment methodologies proposed by CMS will inevitably trickle down to commercial payers, providing opportunities for well-prepared physicians, but leaving most small, unsophisticated medical practices ill-equipped to survive in the new data-driven environment.
As hospitals have scrambled to form captive practices, co-management relationships, ACOs and CINs in an almost scattershot attempt to garner marketshare, small medical practices will likely be faced with take-it-or-leave-it payor contracts that virtually guaranty a smaller piece of the overall reimbursement pie. These market forces have caused physicians to increasingly see the need to become part of larger networks of physicians which are able to engage as a group in alternative payment arrangement with CMS, commercial insurers, self-insured employer plans and hospital organizations. These networks must be sufficiently integrated to avoid federal and state anti-trust violations, and be able to monitor and enforce compliance among its physician participants in order to enter into meaningful fee arrangements with payors.
The gold standard for integration is a clinically and economically integrated group practice operating under a single Taxpayer Identification Number (T.I.N.). Commonly referred to as “Super Groups,” these practices have proliferated over the past several years because, if formed properly, they provide many advantages over traditional practice structures in the face of the paradigm shift that is occurring in the delivery of healthcare.
Structure
Super Groups are commonly formed as limited liability companies (LLC) owned exclusively by qualified physicians licensed in the state where the Super Group is located, with each physician owning one membership unit of the LLC. In general, all of the partners/owners of the practices joining the Super-Group will become members, and all associate physicians will become associate physicians (non-members) of the practice, and be required to enter into associate employment agreements directly with the practice.
Although a Super Group is a single group practice operating under one T.I.N, one of the frequently used methods to organize the Super Group involves using separate “Care Centers,” each of which constitutes a separate “satellite” office location or group operated by those physician members of the Super Group who are affiliated with that particular Care Center. Each formerly independent medical practice will cease to practice medicine as a separate company, and the physicians will comprise their own separate and distinct Care Center of the Super-Group. In general, a Care Center’s professional collections will be distributed to the Care Center, after subtracting its direct expenses (e.g., rent, payroll, insurance), and the Care Center’s allocable share of common overhead. This Care Center model allows the former groups to retain a great deal of autonomy while still enjoying the benefits of the Super Group.
Benefits of Super Groups
The basic theory behind the formation of a Super Group is that physicians will generally be in a better position to face the ever-changing and complex healthcare environment if they are part of a larger group of like-minded practitioners. Super Groups hold a number of advantages over smaller practices, and the following list provide some examples of the advantages of Super Groups.
Super Groups are in a better position to implement alternative fee structures such as bundled payments, episodes of care and shared savings because of their size, access to more sophisticated information technology and level of clinical integration.
As a Super Group, physician members may be in a better position to implement quality and efficiency initiatives that will enable it to negotiate with third-party payors than would a much smaller practice. For instance, Super Groups have the opportunity to accumulate substantial data that may be used to implement quality and cost-saving measures that, because of the increased number of physicians in the practice, can result in substantial absolute dollar savings that can be used as a tool in pro-competitive negotiations with insurance carriers. Such programs are already in place through larger payors and ACO projects.
A Super Group may be able to invest in ancillary services (e.g., lab services) and treatment modalities without violating the federal prohibition against self-referrals (Stark).
A Super Group may have increased leverage to negotiate lower medical malpractice premiums and other costs typically incurred by medical practices. This “group buying power” may also enable the Super Group to negotiate more favorable deals for products and services such as bank financing, EMR and Practice Management software and medical supplies and equipment.
Time consuming practice management functions, such as billing, accounts payable, credentialing, negotiating with vendors, pension administration and human resources administration, will be performed by a management company, allowing the Care Centers to focus on patient care and practice building.
The Care Centers will have the ability to share coding and billing practices in order to optimize collections.
Depending upon the geographic scope of the practice, the formation of a Super Group may provide the practice with the ability to negotiate more effectively with local hospitals.
Formation
Forming a Super Group usually involves three phases of steps. The steps do not necessarily have to be followed in the exact order listed below, but these are generally the steps which a group must follow to properly and fully form the group. When practices are ready to form a super group, the practices should engage the services of an attorney who is familiar with the Super Group formation and who understands the various legal restrictions and requirements which must be met. He or she will be able to help you walk through these steps listed below.
Phase One
Initial meetings to discuss short-term, medium-term and long-term goals and compile list of potential members;
Draft a letter of intent and confidentiality agreement by and among prospective members; and
Form Limited Liability Company, obtain federal tax identification number and state employer identification number.
Phase Two
Form an Implementation Committee;
Establish a meeting schedule for the Implementation Committee and other members;
Implement a due diligence process through the collection and analysis of critical financial and legal information from prospective owners;
Prepare an Operating Agreement and other organizational documents, which detail, among other issues, management structure, compensation formulas, committee structures, officer responsibilities, etc.; and
Evaluate legal issues including Federal Stark, Anti-Kickback, antitrust issues and state law issues.
Phase Three
Work with the attorney to draft “care center” agreements;
Establish board of directors based upon mechanism described in Operating Agreement;
Select officers and form committees (e.g., credentialing, Benefits, Information Technology);
Create policies and procedures to ensure legal compliance (e.g., billing compliance, HIPAA compliance);
Review and negotiate vendor contracts (e.g., practice management systems, EHR contracts);
Review and negotiate banking agreements (e.g., line of credit, term loan); and
Legal review of managed care contracts.
While it may seem like a big change from a small practice, becoming a member of a Super Group can bring many advantages to a practice and its physicians. It can provide a great deal of leverage in contracting and allow the physician members to participate in a number of endeavors they would not have otherwise been able to do. Super Groups can be an excellent way to stay competitive within the ever-changing landscape of healthcare.
Daniel B. Frier, Esq., is founding partner of Frier Levitt.
Source: Medical Economics, December 4, 2020 (https://www.medicaleconomics.com/view/what-you-need-to-know-about-forming-a-medical-super-group)
Drs. Christine K. Cassel and Molly J. Coye
Most of us are excitedly anticipating the arrival of new vaccines against the novel coronavirus that causes COVID-19. With Food and Drug Administration emergency use authorization of the first two vaccines and the very promising efficacy and safety data on which the EUAs are based, we can hope to prevent many thousands of deaths and begin to return to more normal life over the course of the coming year.
But it will be a long time before there is enough vaccine for everyone who wants and needs it. In a culture where threats of "rationing" have been enough to stymie many innovative health policies, we now find this term widely used in public discussion about allocation of the early and limited vaccine doses. Of course we have to ration, because there are so many people at risk and so little vaccine.
But who should be first? Authoritative national bodies such as the National Academy of Medicine and the Centers for Disease Control and Prevention have issued clear opinions about the ethical guidelines for vaccine allocation, and it appears most states and regions are adopting these general frameworks. There appears to be wide agreement that "healthcare personnel" should be the first group to be vaccinated.
The CDC and the independent Advisory Committee on Immunization Practices, or ACIP, define healthcare personnel as "paid and unpaid people serving in healthcare settings who have the potential for direct or indirect exposure to patients or infectious materials." CDC guidelines include a wide range of healthcare workers, and the actual decisions will be made at the local level. It is easy to say "put healthcare workers first," but the decisions about relative priorities may not be obvious.
We see vivid images of hospitals and especially intensive-care units in the news about COVID-19. Doctors and nurses are working hard in those tough environments, but so are respiratory and physical therapists; and the people who clean the rooms, transport patients, transport bodies or work in the morgue when a patient dies. There are many nonclinical workers who may be at risk of encountering contagion, such as intake workers in emergency departments, urgent-care centers and laboratory settings who are wearing only minimal protective gear, i.e., a mask and perhaps gloves.
Less visible are the many people outside of hospital settings to be considered in these ethical frameworks. Almost 10 million people each year receive care in nursing homes, assisted-living residential settings, hospices and at home. At least 1.5 million staff are involved in direct care, but this doesn’t even include administrative staff, food and environmental services workers, and an unmeasured but critically important cadre of volunteers.
In addition to nursing home workers, there are many personal care workers who face the same challenges of public transportation, family demands and child care that are faced by minimum-wage workers in other sectors of the economy. They are exposed to contagion by the nature of their work and by the struggles of their daily lives, and if they become infected they are at risk for worse outcomes.
Of all these millions of workers, who should receive priority in these first critical months?
The ACIP based its priorities on four ethical principles: Maximize benefits and minimize harms; mitigate health inequities; promote justice; and promote transparency. The first three would all seem to point in the direction of more emphasis on workers who are in the community rather than in the hospital. Their numbers are greater, and their potential to expose others is greater because they do not have the elaborate protective gear used in hospitals. The third principle, promote justice, invokes the notion of fairness—that people who are most disadvantaged in confronting this risk should receive special consideration.
While all healthcare workers deserve our respect and admiration, and it would be ideal if all could be vaccinated right away, tough decisions must be made. And the minimum-wage workers face much more difficult personal challenges than the traveling nurses who are earning twice normal pay and staying in hotels.
A rigorous approach to mitigating health inequities and promoting justice would take into account not only the risk of infection but the risks of the devastating consequences to minimum-wage workers who have no support for child care, no options except for public transportation, and family members who face exposure in their own work. These workers do not have the public face of hospital workers rightly honored in the media, but the risks to themselves and their families may be just as great or greater.
For both lower-paid workers in healthcare settings and essential workers in the community, the question should be how to apply first three principles of the ACIP framework. And because of the far fewer resources that lower-paid workers bring to their risk of contracting COVID-19—and its outcomes for them—we should consider elevating our assessment of their need and ensure that we rapidly extend vaccination beyond traditional health settings to most essential workers in the community.
We applaud all the ACIP principles, especially their commitment to transparency. We all wish that everyone who needs it could be vaccinated immediately. But we are faced with deciding who "needs it the most," and that deliberation is worth some reflection. The specifics of these decisions will be interpreted and implemented at the state and local levels. If we endorse the ACIP ethical principles of mitigating health inequities and promoting justice, we should include consideration of the social determinants of risk as we select the first in line for the vaccines.
Source: Modern Healthcare, December 18, 2020 (https://www.modernhealthcare.com/opinion-editorial/rationing-vaccines-what-fair)
By Joanna Terry
The COVID-19 pandemic has had a significant effect on almost every medical practice in the US. Many have had to limit delivery of care or find new strategies to keep patients and staff safe. Interior design and furniture can play a role in infection prevention, often using items already in place. Here are some suggestions to consider that are effective and cost sensitive.
Expand telehealth
Many practices are investing in expanding their telehealth capabilities during this time, which especially fits the needs of patients who have chronic conditions or need follow-up care and are uncomfortable leaving home and risking infection. Telehealth services offer greater safety for both patients and staff – they also save time, resources (including PPE) and have a positive impact on the environment.
Carefully consider what types of patients can safely be seen and monitored remotely and ensure that any temporary telemedicine spaces meet current HIPPA requirements. Staff will need appropriate equipment – monitors, cameras, microphones, workspaces and a stable internet connection. Investing in expanding your current telehealth programs can increase patient satisfaction, ensure that non-COVID health conditions are treated safely and a continued revenue stream for your practice.
Manage patient flow
Waiting and common areas have the potential to be a calming, comforting space, but daily use by multiple individuals mean they are also a place where infections can be passed from person to person. Managing the flow of patients in your facility is critical to keeping everyone safe.
Set clear policies on arrival times, mask compliance and visitors/companions and ensure that patients are notified in advance of their visit. Making sure that patients do not enter the facility until close to their appointment time limits capacity and lowers risk. Unless absolutely necessary, visitors should not be permitted into the facility. Make sure that hand hygiene supplies are easily accessible and that masks are provided when needed.
Some practices are eliminating waiting rooms during the pandemic and escorting patients directly to an exam room to wait for a caregiver. If that is not possible, ensure that your waiting space supports infection prevention. That may mean removing chairs, or blocking off seats to preserve social distancing. After a chair has been used, consider placing a laminated tag on the seat notifying others that the chair should not be used. Once the seat has been sanitized by staff, the chair can be returned to use. Portable dividers can be an effective method of creating separation and offering privacy—and can be reused in other office spaces once they are no longer required in the waiting area.
Technology can help make waiting more enjoyable and have long-term benefits for your practice. Offering a guest WiFi network gives patients the chance to work, decompress and stay entertained while they wait for care. Consider installing self check-in kiosks or offering the option to check in for appointments digitally. This eliminates a point of infection and saves on staff time.
Use the right materials
Consistent and thorough cleaning is critical to infection control. That applies to furniture and fixtures as well. Using harsh disinfectants can take a toll on materials like wood and fabric, causing them to degrade quickly and fail. When cleaning, follow the manufacturer’s instructions (paying attention to dwell times needed to eliminate bacteria) and be sure to rinse with clean water afterward to remove chemical residues and help prolong material life. Ask if the cleaners you are using can safely be applied to your chosen material.
Standard upholstery and wood can add a warm, welcoming look to your space, but both are porous and cannot be disinfected effectively. Fabric in particular can trap and hold bacteria deep within fibers, making this material a real challenge to clean between uses. It is worth considering replacing wood or fabric items with more durable, cleanable options made from vinyl and metal. These materials are far more durable, can be easily cleaned and have a higher resistance to chemical disinfectants, ensuring a longer useful life.
Take care of the front line
This pandemic has been very stressful, especially for healthcare workers. Ensure that your team has dedicated spaces to rest and recharge during long and demanding shifts. Provide comfortable seating, along with tables and chairs for a quick meal. These areas should be completely separated from patient care spaces, with access to a restroom, a place to store personal belongings and a place to take a break and eat.
Giving staff a welcoming space to decompress and rest helps prevent burnout and fatigue – and can help prevent medical errors. If possible, provide natural daylight and access to the outside, which can help users relax. Don’t forget to include all staff. Maintenance, office workers and cleaners (among others) are working hard to keep spaces clean, safe and functioning during this stressful time.
Managing a medical practice during a global pandemic is a challenge – there is a responsibility to ensure safety for your patients, your employees and the community. Making small, inexpensive changes now can have a large payoff down the road in increasing patient and staff satisfaction.
Terry is director of healthcare sales at National Business Furniture with more than 20 years of industry experience.
Source: Medical Economics, December 9, 2020 (https://www.medicaleconomics.com/view/cost-effective-design-changes-medical-practices-can-make)
By Tammy Worth
Lifespan Health System, a nonprofit healthcare provider in Rhode Island, recently agreed to a $1.04 million settlement with the Office for Civil Rights (OCR). An unencrypted laptop was stolen from an employee’s car, potentially releasing the protected health information (PHI) of more than 20,000 patients. The laptop was never recovered.
During its investigation, OCR found that Lifespan did not encrypt some of its laptops even after the health system found it to be reasonable and appropriate to do so. Among other HIPAA violations, the Lifespan did not inventory and track devices containing PHI.
This comes as the Department of Health and Human Services (HHS) released a summer security newsletter emphasizing the importance of an IT asset inventory. Although this inventory is not required by HIPAA, it is a necessary first step in a risk assessment process.
“Compliance requirements are meaningless if you don’t know you what have to protect,” said Nathan Burke, chief marketing officer of Axonius Inc., a cybersecurity company based in New York City. “The only way we can secure a system is to know what we have first and once we know, we can segment and drill into the details.”
In the newsletter, OCR said it frequently finds that organizations do not know where all their PHI is located. When his organization analyzes a system, Burke said, they always find devices that are unmanaged, meaning they are not being tracked and patched by the organization’s IT staff even though they are linked to PHI in some way.
A simple inventory
Taking an inventory of a practice’s IT a decade ago was much simpler than it is now. Today, organizations need to take stock of a wider array of hardware, including mobile devices, voice over internet protocol (VoIP) phones, printers, firewalls, and routers. Software assets like anti-malware programs, email, and electronic medical records should also be included in an inventory. To get a full scope of their inventory, practices should understand the flow of PHI and any hardware or software used to store, maintain, create, or transmit that information. With many people working remotely, practices must take into account things like Google Home or Alexa devices if a staff member is using those.
“It requires the practice to be a bit of a sleuth and sit down and think hard about every piece of equipment that might brush up against PHI,” said Maggie Hales, chief executive officer of the ET&C Group, LLC, based in St. Louis, Missouri. “But it doesn’t require expensive outside consultants or a PhD in coding. It’s about having the right tools, asking the right questions and being thorough.”
A very basic IT asset inventory is simply a list that includes each device, where it is located, the operating system in use, and if it is being managed. That list is then used to identify gaps in the system. For instance, an inventory might turn up a computer with Windows 7, an operating system for which patches are no longer available. In Lifespan’s case, an IT inventory would have alerted them that staff had unencrypted laptops, leaving the devices vulnerable to a breach.
A good inventory can also help track PHI and allows a scan of the network to detect when unknown devices or applications are operating there.
Taking an IT inventory is an area of HIPAA where compliance is simpler if the practice is smaller. The Department of Health and Human Services has a Risk Assessment Tool that practices can use to manually enter or bulk load asset information. ET&C’s HIPAA E-Tool is also tailored for smaller practices wanting to do a lot of the work in house. For larger systems with hundreds or thousands of devices, it may be impossible to have staff perform this kind of task.
That’s where groups like Axonius come into the picture. Their platform integrates with an organization’s network and takes an inventory of everything connected to the internet. The platform then allows providers to use queries to find different programs and identify where gaps might be in a system. For instance, someone can type in Windows and the laptops would pop up, enabling staff to catch those that were not encrypted.
Burke said they consistently find gaps in their clients’ systems after performing an inventory. Even small things like a smart TV in the conference room that is nor managed by the IT department can be vulnerable to a breach. “There are always a bunch of devices that groups think are under management but are not,” he said.
All IT assets in a practice should be managed, updated, and secured, Burke said. The inventory to enable this should be done at least quarterly, though Burke said that may not even be frequent enough to keep track.
“It will help them understand what they have but by the time they are done things are already obsolete because IT changes so much,” he said.
Source: Renal & Urology News, September 15, 2020 (https://www.renalandurologynews.com/home/departments/hipaa-compliance/health-information-technology-hipaa-inventory-computers-devices/)