– Industry efforts to remove a Congressional ban on funding the development of a unique patient identifier stalled last week, as Senate appropriators declined to include the language in its draft fiscal year 2020 funding legislation.
Released on Wednesday, the Senate Appropriations Subcommittee’s proposal would keep the two-decades-old ban on providing funds to the Department of Health and Human Services for the development of a unique patient identifier.
Since 1999, a provision written into every Congressional budget has included the ban. However, the House of Representatives signaled support to remove the provision and implemented an amendment to eliminate the ban in its Departments of Labor, Health, and Human Services, and Education, and Related Agencies Act of 2020.
Industry stakeholders like CHIME have been calling for a removal of the ban in recent years and had hoped the House’s support would move into the Senate. But the draft bill does not include funds for HHS to begin developing a unique patient identifier, which many believe would help with patient privacy risks.
“None of the funds made available in this act may be used to promulgate or adopt any final standard under section 1173(b) of the Social Security Act providing for, or providing for the assignment of, a unique health identifier for an individual (except in an individual’s capacity as an employer or a health care provider), until legislation is enacted specifically approving the 13 standard,” according to the bill.
In 2018, CHIME told HHS that as it works toward strengthening healthcare innovation and investment, officials should seek out technology that more accurately identifies patients and work with the Centers for Medicare and Medicaid Services to promote patient identification solutions.
“CHIME has long been a supporter of developing a national patient identifier to accurately and efficiently match patients with the correct record,” CHIME officials explained at the time. “This is integral to CMS’ goal to achieve the free-flowing exchange of patient records and true interoperability.”
“From the perspective of CHIME, accurately matching patients to their data should be one of the principal goals of the innovation work group,” they added.
Just last month, CHIME joined 55 other stakeholder groups urging the Senate to remove the ban or to adopt the unique patient identifier, as well as identifying a solution to protect patient privacy.
The Health Innovation Alliance made a similar call to Congress on September 18, calling out the Senate for its failure to include the provisions to remove the “antiquated” ban. The lack of a unique patient identifier is not only a privacy risk, but patient safety concern, as well.
“Senate appropriators’ initial rejection of the overwhelming, bipartisan will of the House of Representative on UPI funding is disappointing, but there is still time to change course,” HIA Executive Director Joel White, said in a statement. “This outdated ban has contributed to healthcare waste and misspending while threatening patient safety for far too long.”
“With the UPI ban in place, studies show patients are accurately matched to their medical records as seldom as 50 percent of the time,” he added. “That is a failing score that Washington must not accept.”
– The HealthCare Executive Group unveils its annual 2020 HCEG top 10 critical challenges, issues and opportunities healthcare executives expect to face in 2020.
– Over 100 C-Suite and director level executives were presented with a list of over 25 topics. Initially compiled from webinars, roundtables and the 2019 Industry Pulse Survey.
After 2.5 days of facilitated interactive discussions during
this week’s HCEG Annual Forum in
Boston, over 100 healthcare c-suite and director level executives voted and
then ranked their top 10 critical challenges, issues and opportunities they
expect to face in 2020.
2020 HCEG Top 10 Background/Methodology
Executives from payer, provider, and technology partner organizations were presented with a list of over 25 topics. Initially compiled from webinars, roundtables and the 2019 Industry Pulse Survey, the list was augmented by in-depth discussions during the Forum, where industry experts explored and expounded on a broad range of current priorities within their organizations. The HCEG Annual Forum concluded with HCEG Board Members announcing the results of the year-long process that determined the 2020 HCEG Top 10.
After its initial delineation during this week’s HCEG
Annual Forum, the 2020 HCEG Top 10
serves as the basis for the coming year’s discussion, industry-wide analysis
and in-depth research performed by sponsor partners, member organizations and
Here are the 2020 HCEG Top 10 Challenges,
Issues, and Opportunities for healthcare executives:
1. Costs & Transparency – Implementing strategies and tactics to address the growth of medical and pharmaceutical costs and impacts to access and quality of care.
2. Consumer Experience – Understanding, addressing and assuring that all consumer interactions and outcomes are easy, convenient, timely, streamlined, and cohesive so that health fits naturally into the “life flow” of every individual’s, family’s and community’s daily activities.
3. Delivery System Transformation – Operationalizing and scaling coordination and delivery system transformation of medical and non-medical services via partnerships and collaborations between healthcare and community-based organizations to overcome barriers including social determinants of health to effect better outcomes.
4. Data & Analytics – Leveraging advanced analytics and new sources of disparate, non-standard, unstructured, highly variable data (history, labs, Rx, sensors, mHealth, IoT, Socioeconomic, geographic, genomic, demographic, lifestyle behaviors) to improve health outcomes, reduce administrative burdens and support transition from volume to value and facilitate individual/provider/payer effectiveness.
5. Interoperability / Consumer Data Access – Integrating and improving the exchange of member, payer, patient, provider data and workflows to bring value of aggregated data and systems (EHR’s, HIE’s, financial, admin and clinical data, etc) on a near real-time and cost-effective basis to all stakeholders equitably.
6. Holistic Individual Health – Identifying, addressing and improving the member/patient’s overall medical, lifestyle/behavioral, socioeconomic, cultural, financial, educational, geographic and environmental well-being for a frictionless and connected healthcare experience.
7. Next Generation Payment Models – Developing and integrating technical and operational infrastructure and programs for a more collaborative and equitable approach to manage costs, sharing risk and enhanced quality outcomes in the transition from volume to value. (bundled payment, episodes of care, shared savings, risk-sharing, etc).
8. Accessible Points of Care – Telehealth, mHealth, wearables, digital devices, retail clinics, home-based care, micro-hospitals; and acceptance of these and other initiatives moving care closer to home and office.
9. Healthcare Policy – Dealing with repeal/replace/modification of current healthcare policy, regulations, political uncertainty/antagonism and lack of a disciplined regulatory process. Medicare-for-All, single-payer, Medicare/Medicaid buy-in, block grants, surprise billing, provider directories, association health plans, and short-term policies, FHIR standards, and other mandates.
10. Privacy / Security – Staying ahead of cybersecurity threats on the privacy of consumer and other healthcare information to enhance consumer trust in sharing data. Staying current with changing landscape of federal and state privacy laws.
Why It Matters
“HCEG member organizations express that the demand for, and pace of change and innovation is accelerating as healthcare has moved to center stage in the national debate. It shouldn’t be surprising that costs and transparency is at the top of the list along with the consumer experience and delivery system transformation,” observes Ferris W. Taylor, Executive Director of HCEG.
The HCEG Top 10 will be complemented by the 10th
annual, nationwide, Industry Pulse Survey. In early October, healthcare leaders
across the nation will be invited to participate in the research to backdrop
and contrast their own perspectives against the 2020 HCEG Top 10.
How is HIPAA enforced? That may be a simple enough question, but it also contains more nuance than may initially be expected. Determining how HIPAA is enforced can depend upon how the term enforcement is viewed and interpreted.
The first step is to define enforcement. The dictionary definition of enforcement includes the following statements: (i) to give force to, (ii) to urge with energy, (iii) constrain, compel, (iv) to effect or gain by force, or (v) to carry out effectively. Looking at the definition comprehensively, enforcement is a means of compelling compliance with a concept or requiring another to follow a particular thing (in this case law and regulations). Enforcement by its nature is arguably imposing a non-voluntary action or requirement onto a person through some outside force.
Given the broad definition and impact of enforcement as a concept, how does that apply to HIPAA? For HIPAA, enforcement looks at how a person (defining a person to be an actual individual, an organization, or any other entity) is forced into acting consistently with the dictates of the HIPAA statute and implementing regulations. As with the definition, means of enforcement in practice can and are quite varied.
The most obvious form of enforcement is through actions of the HHS Office for Civil Rights (OCR). OCR is currently designated by the federal government to oversee HIPAA. Oversight includes providing guidance and promulgating regulations to set out what is required to comply with HIPAA. When a person reports a violation, discloses a breach, a complaint is filed, or some other disclosure occurs, OCR can also pursue an investigation and issue fines or penalties. The fines or penalties will grab many headlines. In fact, a recent settlement imposing the first fine on a healthcare organization for failing to honor an individual’s right of access generated significant amounts of discussion. From the enforcement perspective, fines and penalties are clearly a form of monetary enforcement. A fine or penalty could also be seen as a form of public shaming. The dollar amount is announced and many will speculate as to the full extent of conduct that formed the basis for the amount.
As suggested, OCR also pursues enforcement in the form of investigations and audits. An investigation typically follows any disclosure of a breach or the filing of a complaint. OCR will seek verification from the disclosing entity or subject of the complaint about the extent of compliance with HIPAA regulations and dive into deeper levels of compliance. The act of the investigation itself can spur the subject to voluntarily take steps to improve compliance. Another frequent outcome is for OCR to provide technical assistance in resolving the matter. Technical assistance is jargon for saying that the entity got advice from OCR as to what HIPAA expects and it is asserted that changes will be made. If an individual filed a complaint, enforcement in the form of technical assistance can feel less than satisfying, especially if issues keep recurring.
Aside from OCR, state attorneys general can also enforce HIPAA through the imposition of monetary fines or penalties. Historically, a settlement from an attorney general was quite infrequent. The pace of settlements from attorneys general has picked up over recent years, at least comparatively. Examples can be found in Massachusetts, New Jersey, and New York as well as some states piggybacking offer of settlements from OCR.
As noted, monetary fines and penalties draw a lot of headlines but represent a fraction of issues occurring with HIPAA non-compliance. OCR receives well over ten thousand complaints per year, but there have never been more than 15 monetary settlements in a year. That means the most likely form of enforcement from the government is an investigation resolved through technical assistance.
A growing alternative means of enforcement is a lawsuit initiated by one or more individuals impacted by a breach. Some large breaches have resulted in class action cases being brought against the breached organization. However, a lawsuit is not actually HIPAA enforcement. The lawsuit cannot be HIPAA enforcement because there is no private right of action under HIPAA, which means an impacted individual cannot claim that their “HIPAA rights” were violated. Instead, it is necessary to identify a state law cause of action. The state law action may be premised upon HIPAA, but the issue is really one of state law. Another challenge for a lawsuit is that the impacted individuals may not have suffered any direct damages (yet). Some lawsuits have been dismissed for failure to state any damages, but other cases have been allowed to proceed based on an increased likelihood of harm. Lawsuits should be viewed as a potentially growing means of enforcement though.
One final means of enforcement to consider for now is contractual enforcement. Specifically, the focus is on business associates and subcontractors of business associates. As should hopefully be well known, the upstream entity must execute a business associate agreement before allowing the downstream entity to use or disclose its protected health information. The business associate agreement is one form of enforcement, but it can be followed up by the upstream entity monitoring compliance with the terms of the agreement, which in effect means HIPAA compliance. While that is a possibility and the terms of some business associate agreements will be strong on the point, actual follow-thru may not be that common. Given the number of concerns though, there arguably should be more activity on this front.
The discussion about enforcement should demonstrate that it is not just a fine or penalty. Enforcement is layered and takes many forms. Ultimately, the goal is to not just demonstrate compliance with HIPAA requirements, but take actions above and beyond to truly secure the privacy and security of sensitive healthcare information.TrendMD v2.4.3
– About 320,000 Premier Family Medical patients are being notified that their data was potentially compromised after a ransomware attack in July.
On July 8, the Utah provider discovered a ransomware attack on some of its IT systems, which blocked access to patient data and other functions. Law enforcement was notified, as Premier Family Medical worked to regain access and investigate with assistance from technical consultants.
The notification did not provide details into Premier Family Medical’s recovery efforts, including when files were unlocked and if they were restored from backups. However, officials said that the investigation found no evidence data was accessed or taken during the security incident.
The provider has since enhanced its security to prevent a recurrence. According to McAfee, ransomware attacks have doubled in 2019, with hackers steadily increasing brute-force attacks on remote desktop protocol services and SMB (server message block).
Providers Still Recovering from Digital Dental Record Ransomware Attack
During the last week of August, a ransomware attack on Digital Dental Record (DDS Safe) and PerCSoft impacted hundreds of dental provider offices across the country. According to the most recent update, some providers are still attempting to get back online.
The infection started on Monday, August 26, and before the vendors were able to remove the virus, it had spread to hundreds of its dental clients. DDS Safe and PerCSoft have been working with its software team to fix the issue and are leveraging a decryptor to unlock files of the affected providers.
What’s more, the vendors have been working with the FBI’s CyberCrime Task Force. At the moment, the investigation has not revealed any type of data compromise.
“If that changes, and investigators confirm that the attack released private business and patient data versus simply locking it, DDS Safe and PerCSoft will immediately communicate that to impacted clients and assist them in complying with the appropriate next steps,” DDS Safe’s Mara Roberts, said in a statement.
“The team is fully aware of the possible reporting rules and deadlines and is working tirelessly to determine the extent of notification – if any – that may be required,” she added. “We regret the frustration and difficulty this situation has caused and have devoted all resources to resolving it as quickly and completely as possible.”
According to the notice, some of these dental providers are being contacted by outside consultants attempting to sell the offices IT and identity restoration services. Officials recommended that providers exercise caution when seeking advice from those unfamiliar with the incident.
Alive Hospice Corrects July Breach Notification
Alive Hospice is sending fresh breach notifications to patients impacted by its May email hack, due to a mailing error that resulted in patients receiving letters addressed to other individuals.
On May 6, officials discovered a hacker gained access to an employee email hack for two days, beginning on May 4. The investigation determined the compromised account contained a trove of patient details including contact information, demographic data, Social Security numbers, driver’s licenses, medical histories, provider details, health insurance data, and a host of other identifiers.
Nearly one week after the notification letters were sent, Alive discovered a mailing error during the address export process that resulted in letters being addressed to the incorrect recipient. Officials said they corrected the error and mailed a second letter to affected patients shortly afterward.
The initial notification letters did not contain any reference to treatments received at Alive or any protected health information. The information related solely to the breach at Alive and included the incorrect recipient’s name.
A new drug, BPN14770, may protect against memory loss, nerve damage, and other symptoms of Alzheimer’s disease, researchers report.
Preclinical research found that BPN14770 deters the effects of amyloid beta, a hallmark protein of Alzheimer’s that is toxic to nerve cells.
Recent studies find Alzheimer’s may develop without dementia in nearly 25% of healthy 80-year-old patients, suggesting the body may turn to compensatory mechanisms to maintain the nervous system.
BPN14770 could help activate these mechanisms that support nerve health and prevent dementia, even with the progression of Alzheimer’s.
Its benefits could also translate to Fragile X syndrome, developmental disabilities, and schizophrenia, the researchers say.
“Such observations imply that Alzheimer’s pathology can be tolerated by the brain to some extent due to compensatory mechanisms operating at the cellular and synaptic levels,” says Ying Xu, co-lead investigator and research associate professor in the School of Pharmacy and Pharmaceutical Sciences at the University at Buffalo.
“Our new research suggests that BPN14770 may be capable of activating multiple biological mechanisms that protect the brain from memory deficits, neuronal damage, and biochemical impairments.”
Working with mice, the researchers found that BPN14770 inhibits the activity of phosphodiesterase‐4D (PDE4D), an enzyme that plays a key role in memory formation, learning, neuroinflammation, and traumatic brain injury.
PDE4D lowers cyclic adenosine monophosphate (cAMP)—a messenger molecule that signals physiological changes such as cell division, change, migration, and death—in the body, leading to physical alterations in the brain.
cAMP has numerous beneficial functions, including improved memory. By inhibiting PDE4D, BPN14770 increases cAMP signaling in the brain, which ultimately protects against the toxic effects of amyloid beta.
“The role of PDE4D in modulating brain pathways involved in memory formation and cognition, and the ability of our PDE4D inhibitor to selectively enhance this process, has been well studied,” says Mark E. Gurney, chairman and chief executive officer of Tetra Therapeutics, which developed the drug. “We are very excited by our colleagues’ findings, which now suggest a second protective mechanism of action for BPN14770 against the progressive neurological damage associated with Alzheimer’s disease.”
“Developing effective drugs for memory deficits associated with Alzheimer’s disease has been challenging,” says James M. O’Donnell, dean and professor of the School of Pharmacy and Pharmaceutical Sciences. “BPN14770 works by a novel mechanism to increase cyclic AMP signaling in the brain, which has been shown to improve memory. The collaborative project has led to clinical trials that will begin to test its effectiveness.”
Tetra Therapeutics is conducting Phase 2 clinical trials of BPN14770 in patients with early Alzheimer’s and adults with Fragile X syndrome, a genetic disorder that causes intellectual and developmental disabilities.
Results of previous Phase 1 studies in healthy elderly volunteers suggest the drug benefits working, or immediate, memory. Animal studies found that BPN14770 has the potential to promote the maturation of connections between neurons, which are impaired in patients with Fragile X syndrome, as well as protect these connections, which are lost in patients with Alzheimer’s.
“There has been enormous interest in our ongoing Phase 2 trial of BPN14770 in 255 patients with early Alzheimer’s, and we are hopeful this study will show an impact of PDE4D modulation in this disease. Topline results are expected mid-2020,” says Gurney.
Support for the research came from the National Institutes of Health Blueprint Neurotherapeutics Network through the National Institute of Neurological Disorders and Stroke, National Institute on Aging, and National Institute of Mental Health.